Red Hat SummitChapter 1. Overview of Red Hat Advanced Developer Suite - software supply chain standalone CLI programs
You can use five command line interface (CLI) programs as part of Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) to enhance the security and compliance in your software supply chain.
These standalone CLI programs are shipped with Red Hat products that are either components or dependencies of RHADS - SSC:
Red Hat Trusted Artifact Signer (RHTAS) is a security tool that signs and attests software artifacts. You can install it simultaneously with RHADS - SSC or later using the Operator Lifecycle Manager. RHTAS provides access to these CLI tools:
Red Hat Trusted Profile Analyzer (RHTPA) automates the creation of software bills of materials (SBOMs) and helps you manage them. You can choose to install RHTPA during the RHADS - SSC installation. The CLI tool used for SBOMs generation is:
Red Hat Advanced Cluster Security (RHACS) is automatically installed and configured during the RHADS - SSC installation. RHACS tools thoroughly scan software artifacts to identify and address vulnerabilities at an early stage. The CLI available with RHACS is:
To check that a CLI binary is available for your architecture, view Chapter 2. Architectures
1.1. CLI programs available with RHTAS
The binaries of the Cosign, Rekor, and Conforma CLI programs are shipped as components of RHTAS. After you have installed RHTAS, you can download these binaries from the OpenShift cluster by using the OpenShift web console.
Cosign
cosign is a tool for signing container images and verifying the signatures.
-
For
cosigninstallation and usage, refer to the Signing and verifying containers by using Cosign from the command-line interface RHTAS guide. - For more instructions on signing container images with cosign, refer to Managing compliance with Conforma in RHADS - SSC docs.
Rekor
The rekor tool is a data log that stores metadata of signed software artifacts and provides transparency for signatures of those artifacts. With the Rekor CLI, you can make, verify, and query entries in the Rekor transparency log.
-
To install
rekorand query the transparency log, refer to the Rekor-related procedures in the RHTAS Deployment guide.
Conforma
Conforma is a tool that enhances security of software supply chains. You can use it to define and enforce security policies for building and testing container images. Conforma is the Red Hat-supported build of the upstream open source project Conforma.
- For the Conforma CLI installation and usage, refer to Verifying signatures on container images with Conforma.
- For more information, refer to the Managing compliance with Conforma RHADS - SSC guide.
- For full upstream Conforma documentation, refer to the community-run Conforma Documentation website.
1.2. CLI used with RHTPA
Syft
Syft is a CLI tool for generating Software Bill of Materials (SBOMs) for container images or your local file systems. It provides detailed information about packages, libraries, and dependencies of your software or file systems. Transparency on the software composition helps you secure your software supply chain and manage vulnerabilities.
Syft is distributed as a standalone container image through Red Hat Ecosystem Catalog. The container image is available for AMD64 architecture on Linux.
- To download the Syft image, view the Get this image instructions.
- To use Syft on architectures other than AMD64, install the upstream version of Syft.
- To create SBOMs with Syft, refer to Creating a software bill of materials manifest file.
- To inspect and manage SBOMs, refer to Inspecting your SBOM using Red Hat Trusted Profile Analyzer.
1.3. CLI used with RHACS
roxctl
roxctl is a CLI for running commands on RHACS. RHADS - SSC pipelines can run three roxctl tasks, including scanning your container images for vulnerabilities and checking the build-time violations of your security policies in container images and YAML deployment files.
-
To learn more about
roxctltasks in the RHADS - SSC pipeline runs, refer to Red Hat Advanced Cluster Security tasks. -
To install the
roxctlbinary, refer to the roxctl CLI guide in the RHACS docs.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}