Red Hat Trusted Application Pipeline

Shift security left in the software supply chain

Get started with Red Hat Trusted Application Pipeline Contact us

Catch vulnerabilities early with a self-serve developer experience imbued with the organization’s security practices, for distributed teams to comply with security and compliance requirements. Development teams leverage solution templates with integrated security checks to standardize and expedite security-focused golden paths with Red Hat Trusted Application Pipeline. Remove toil in finding and fixing vulnerabilities early. Increase security posture in the CI/CD pipeline with an automated chain of trust that verifies compliance is met.

Red Hat Trusted Application Pipeline validates artifacts signatures, provenance, and attestations to stop suspicious build activity from being promoted.

Start curating your own trusted content and increase the security posture in your pipelines. With Red Hat Trusted Application Pipeline, increase transparency and trust early in code-time while safeguarding the build systems from a self-serve developer hub:

Red Hat Trusted Application Pipeline documentation

Red Hat Trusted Application Pipeline features

Red Hat Trusted Application Pipeline performs numerous checks on your software artifacts and predefined dependencies for CVEs just as code is written. We also prevent source code injection and image poisoning in your build system each time when pull requests are triggered to merge code for new builds. This means you can:

Save time

Save developer time and reduce cognitive load using customizable, validated templates with integrated safeguards to stay compliant with security requirements. Expedite onboarding of security workflows from a centralized, self-managed software catalog backed by an extensive ecosystem of plugins, modular extensions to stay focused on building and shipping code faster.

Prevent malicious code

Prevent and identify malicious code early with dependency analytics that scans software components for vulnerabilities directly from the IDE, to map and evaluate the impact radius of security threats. Generate and manage SBOMs and VEXs stored in a system of record, to index and query security documentation for actionable insights and recommendations.

Safeguard systems

Safeguard build systems from poisoned pipelines with an automated chain of trust for each pull request that validates artifact signatures, attestations, and confirms on the expected build process. Enterprise contracts integrated with cryptographic verification tools, enforce security policies based on SLSA requirements, to continuously deploy to an auditable, immutable state.

Tamper-proof artifacts

Use tamper-proof software artifacts with digital signatures at every step of the CI/CD workflow through a keyless management system. Enhance transparency and accountability with OpenID Connect integrations for identity-based signing backed by auditable transparency logs from an immutable ledger that’s shared for stronger software supply chain integrity and authenticity.

Analyze images

Constantly analyze images in storage for the latest vulnerabilities to mitigate security risks before releasing images into production. Securely store and share the use of containerized software to development and production from a container registry platform that’s seamlessly integrated into the build system. Distribute Open Container Initiative content including application signatures, SLSA attestations and software bill of materials (ie .sig, .att, .sbom) - all from a trusted image registry.

Monitor your build

Continuously monitor the build environment with vulnerability scanning and policy checking directly from the CI/CD pipeline - no package managers, no wget required. Deliver a robust supply chain security with comprehensive monitoring and threat detection capabilities that proactively identify and mitigate vulnerabilities to ensure the integrity and security of containerized application workload and their Kubernetes environments.