Red Hat Trusted Software Supply Chain

Consistently code, build, and monitor for a trusted software supply chain across any environment, for faster time to value with automated security guardrails.

red_hat-trusted_software_supply_chain-logo-transparent

Code to production with integrated security in minutes

Software supply chain security for cloud-native applications requires months of effort for code to stay compliant to the organization's security practices. Red Hat Trusted Software Supply Chain accelerates this effort for platform engineering teams by bringing Red Hat’s own mature, open source software supply chain practice to mitigate and reduce risks in software delivery,  for development and security teams to instantly adopt with low effort and cost.

Code quickly without the security overheads

Your code stays compliant with your organization's security practices. Standardize on security-focused solution templates with integrated checks in Red Hat Developer Hub, for a self-service independent developer portal to catch vulnerabilities early without the cognitive overload. Over two-thirds of application code has inherited open source dependencies. Harden open source libraries that are verified and attested with provenance checks using Red Hat Trusted Profile Analyzer, to curate your own trusted content. Identify malicious code with pro-active vulnerability analysis and understand the impact radius of security threats, for remediation directly from your IDE. Crypto sign and certify your code before pushing into commit, using an open, immutable ledger that logs all your submissions to increase transparency at code-time. With Red Hat Trusted Artifact Signer improve the trustworthiness of your software artifacts across the software supply chain.

Build with security-focused CI/CD workflows

Building security into your container images is an integral part of the software supply chain for cloud-native applications. Red Hat Trusted Application Pipeline provides default pipeline definitions and automated security checks to generate Supply Chain Levels for Software Artifacts (SLSA) Level 3 build images from application code across a variety of programming languages. The build includes creating an attested, immutable Software Bill of Materials (SBOM) that automatically creates a chain of trust for your open source components and transitive dependencies in your packaged artifacts. Safeguard your build systems using out-of-the-box enterprise contracts integrated with cryptographic verification tools that validate artifact signatures and attestations, and confirms the expected build process. Enforce security policies related with SLSA requirements to ensure pipeline compliance has been met.

supply_chain_build image

Deploy continuously with release policies as-code

Development teams need to automate continuous deployment to an auditable immutable state with the right controls that prevent configuration drift. SLSA Level 3 and higher requires a security-focused release workflow to deploy container images with Red Hat OpenShift GitOps to their respective cloud platforms. The deployments can be to a variety of Kubernetes clusters, including Red Hat OpenShift clusters providing consistency across development, testing, staging, and production. Take advantage of Pipeline-as-Code capabilities to customize the default pipeline configuration with Red Hat OpenShift Pipelines. Policy-as-code that covers from integration tests to a customizable Enterprise contract, deployment and releases for the software development lifecycle can be configured to prevent suspicious build activity from being promoted. GitOps principles serving as a single source of truth, drives the entire release workflow and is stored and managed from various types of Git repositories.

supply_chain-deploy screen cap

Monitor and identify runtime security incidents

Capitalize the unified experience to monitor the health and security of the containerized applications that are deployed across multiple cloud platforms. With the integration of Red Hat Advanced Cluster Security for Kubernetes, security issues in the deployed containers and the Kubernetes runtime environment can be easily detected and remedied. Continuously monitor the behavior of software components and dependencies to observe the impact of risk profile changes made. Instantly detect and alert on security issues early before your users do, using analytics-driven insights that directs with in-context troubleshooting. Prioritize and drill down on alerts by severity to reduce alert fatigue. Existing build images stored and shared in registries also need to be constantly scanned for new, emerging threats each day. Identify and mitigate security risks well before running the image with Red Hat Quay.

supply_chain-monitor-identify screen cap

Code, build, deploy and monitor

Start securing software components and dependencies early in your software development lifecycle with integrated guardrails in your software delivery to catch vulnerabilities early. Cut down malicious code, no more poisoned pipelines.

supply_chain_build monitor deploy graphic

Featured products

trusted profile analyser

Red Hat Trusted Profile Analyzer

Use your software assets with confidence. Curate your trusted content by...

Trusted Application Platform

Red Hat Trusted Application Pipeline

Catch vulnerabilities early with a self-serve developer experience imbued...

Trusted Artifact Signer

Red Hat Trusted Artifact Signer

Enables cryptographic signing, verification of software, and provenance...

Red Hat Developer Hub

Red Hat Developer Hub

An enterprise-grade, open developer platform for building developer portals,...

Featured resources

Trusted software supply chain

A developer’s guide to setting supply chain security in DevSecOps

Collin Chau +3
Tackling CI/CD Security Anti-Patterns

White paper: Tackling CI/CD Security Anti-Patterns

Getting started with CI/CD Pipeline Security

Analyst brief: Getting started with CI/CD Pipeline Security

A blueprint for supply chain security

A blueprint for supply chain security

Dev Sec Ops

Analyst report: Adopt a holistic approach to software supply chain security

A practical guide to software supply chain security

A practical guide to software supply chain security

Red Hat
Code security

Technical brief: Deep dive into what securing a software chain entails

Latest security articles

Featured image for Java topics.
Article
Nov 18, 2024

Secure Java applications: A deep look into 3 different issues

Martin Balao Alonso

Explore 3 issues that can compromise your Java application's data...

Featured image for Red Hat Enterprise Linux.
Article
Nov 13, 2024

Red Hat Enterprise Linux 9.5: What are the top features for developers?

Nikhil Mungale

Find out what's new in Red Hat Enterprise Linux (RHEL) 9.5, including...

Coding shared image
Article
Nov 06, 2024

Simplifying cluster security: RHACS in RHACM global hub

Dan Manor

This article provides a guide to integrating Red Hat Advanced Cluster...

OpenJDK
Article
Oct 23, 2024

Log4Shell: The vulnerability that shook the world of software development

Herve Beraud

Log4Shell exposed a massive security gap in widely used open-source software....