Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Viewing security insights

Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) automatically triggers an on-push pipeline when you update your code and push changes. By default, it uses a standard build pipeline for containerized deployment according to the Software Artifacts (SLSA) level 3 specifications.

Figure 4.1. A successful pipeline run

pipeline run
View larger image
pipeline run

The pipeline run performs the following tasks:

  • init: Configures rebuild flags and authentication. Creates an image repository secret.
  • clone-repository: Clones the repository to prepare for the build.

  • build-container:

    • Creates a container image from the source code using Buildah and pushes it to a registry.
    • Generates a Software Bill of Materials (SBOM) to document all components and dependencies.
    • Publishes security artifacts like image signatures and attestations.
  • update-deployment: Updates the GitOps repository to deploy the latest image.
  • acs-image-check, acs-image-scan, and acs-deploy-check tasks: Each task runs a security check to ensure compliance with policies.
  • show-sbom: Creates a complete list of the software components and libraries for transparency purposes.
  • summary: Cleans up resources and provides a summary of the pipeline run.
Note

Click any task in a pipeline run to view logs.

Prerequisites

  • The build-container and show-sbom tasks ran successfully (for downloading the SBOM).

Procedure

  1. Select Catalog.
  2. Select the component you want to review.
  3. Select the CI tab > Actions column > View output icon.

  4. Review the detailed RHACS reports for the selected component.

    Figure 4.2. The detailed RHACS reports

    acs report
    View larger image
    acs report
    Note

    If you have the required permissions, you can manage vulnerabilities, policies, and review detailed vulnerability reports for a specific image in the RHACS console. For more information, see Viewing the dashboard.

  5. Select the CI tab.
  6. Select the link icon for the show-sbom task. The UI displays the SBOM task logs.

  7. Review the SBOM in your browser and search for vulnerabilities such as log4j.

    Figure 4.3. The SBOM details

    show sbom
    View larger image
    show sbom
  8. (Optional) To download the SBOM in the CLI: Expand the successful pipeline run and select the show-summary task.
  9. Search and copy the SBOM image URL.

  10. Run the following command on your terminal: 

    $ cosign download sbom <the_sbom_url_you_copied>
    Copy to Clipboard Toggle word wrap

  11. (Optional) To save the output to a file for detailed analysis, run the following command: 

    $ cosign download sbom <the_sbom_url_you_copied> > sbom.txt
    Copy to Clipboard Toggle word wrap

Reports from RHACS tasks give you security insights to help you maintain strong security.

Interpreting roxctl image scan (Image Scan) reports involve the following information:

  • Vulnerability Breakdown: RHACS categorizes detected vulnerabilities by severity (Critical, Important, Moderate, Low), and status (fixable, nonfixable). Then, it offers a summary of the scan results. This categorization includes the total number of vulnerabilities and components analyzed with specific Common Vulnerabilities and Exposures (CVEs) identified.

  • Details Provided: For each identified vulnerability the report includes:

    • CVE ID: A unique identifier for the vulnerability.
    • Severity: The level of threat posed by the vulnerability.
    • Component: The software component affected by the vulnerability.
    • Component Version: The version of the affected component.
    • Remediation Suggestions: Recommendations for addressing the vulnerability, including the fixed version if available.

You can use the same approach for roxctl image check (Image Check) and roxctl deployment check (Deployment Check) reports.

4.2. About pipeline security tasks
Copy link

When you install and configure the Red Hat Advanced Cluster Security (RHACS) during Red Hat Advanced Developer Suite - software supply chain )RHADS - SSC) installation, the pipeline runs security tasks. Otherwise, the pipeline skips these steps.

Note

Figure 4.4. The RHACS tasks in the pipeline run

acs tasks
View larger image
acs tasks

Three RHACS pipeline tasks use roxctl to run security checks:

  • roxctl image scan: Identifies components and vulnerabilities in the image and generates results in JSON format.
  • roxctl image check: Verifies build-time security violations in the image. For example, policies such as 'No log4j allowed' or restrictions against including curl, wget, or package managers in production images.
  • roxctl deployment check: Checks for build-time and deploy-time security violations in the YAML deployment files.

The Pipeline Runs section under the CI tab in RHDH displays detailed task reports. The pop-up interface displays the following items:

  • Red Hat Advanced Cluster Security (conditionally shown on the availability of RHACS tasks): Displays individual tabs for all the RHACS tasks, summarizing identified security issues.
  • Others: Provides results from the PipelineRun. For example, IMAGE_URL, and IMAGE_DIGEST. The UI only displays this section when the pop-up contains additional information (for example, Conforma or RHACS).

4.3. About Software Bill of Materials (SBOMs)
Copy link

The show-sbom task creates a list of all software libraries used in the application. This list helps identify vulnerabilities and assess security impacts.

Figure 4.5. The show-sbom task in the pipeline run

sbom
View larger image
sbom

The SBOM includes information about each library used in your project, such as:

  • The source of the library, author, or publisher
  • The library name
  • The library version
  • The license type

This information helps ensure that you use safely-sourced, updated, and compliant libraries. The following JSON file is a partial example of an SBOM: 

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
    "version": 1,
    "metadata": {
        ...
    },
    "components": [
        {
            "bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
            "type": "library",
            "author": "Armin Ronacher <armin.ronacher@active-4.com>",
            "name": "Flask",
            "version": "2.1.0",
            "licenses": [
                {
                    "license": {
                        "id": "BSD-3-Clause"
                    }
                }
            ],
            "cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
            "purl": "pkg:pypi/Flask@2.1.0",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "python-package-cataloger"
                    ...
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top