Standalone CLIs
Explore the standalone CLIs you can use with Red Hat Trusted Application Pipeline.
Abstract
Preface
Several standalone CLIs are available to you as part of Red Hat Trusted Application Pipeline through its components and related products.
With the help of the standalone CLIs, you can customize the CI experience, along with automating and securing the process of building and testing your applications. You can enhance the software supply chain security by, for example, running enhanced security checks, signing and verifying your software artifacts, managing compliance with security policies, or generating SBOMs.
You can use these CLI tools with an instance of RHTAP running on an OpenShift cluster, or you can install them on your workstation to build and test your applications locally in a more automated and secure way.
Chapter 1. Overview of RHTAP standalone CLIs
You can use five standalone CLIs with RHTAP. They’re shipped with Red Hat products that are either components or dependencies of RHTAP:
Red Hat Trusted Artifact Signer (RHTAS) is a security tool that signs and attests software artifacts. You can install it simultaneously with RHTAP or later using the Operator Lifecycle Manager. RHTAS provides access to these CLI tools:
Red Hat Trusted Profile Analyzer (RHTPA) is automates the creation of Software Bills of Materials (SBOMs) and helps you manage them. You can choose to install RHTPA during the RHTAP installation. The CLI tool used for SBOMs generation is:
Red Hat Advanced Cluster Security (RHACS) is automatically installed and configured during the RHTAP installation. RHACS tools thoroughly scan software artifacts to identify and address vulnerabilities at an early stage. The CLI available with RHACS is:
To check that a CLI binary is available for your architecture, view Chapter 2. Architectures
1.1. CLIs available with RHTAS
The binaries of the Cosign, Rekor, and EC CLIs are shipped as components of RHTAS. After you’ve installed RHTAS, you can download these binaries from the OpenShift cluster using the OpenShift web console.
Cosign
cosign is a tool for signing container images and verifying the signatures.
-
For
cosigninstallation and usage, refer to the Signing and verifying containers by using Cosign from the command-line interface RHTAS guide. - For more instructions on signing container images with cosign, refer to Managing compliance with Enterprise Contract in RHTAP docs.
Rekor
The rekor tool is a data log that stores metadata of signed software artifacts and provides transparency for signatures of those artifacts. With the Rekor CLI, you can make, verify, and query entries in the Rekor transparency log.
-
To install
rekorand query the transparency log, refer to the Rekor-related procedures in the RHTAS Deployment guide.
EC
Enterprise Contract (EC) is a tool that enhances security of software supply chains. You can use it to define and enforce security policies for building and testing container images.
- For the EC CLI installation and usage, refer to Verifying signatures on container images with Enterprise Contract.
- For more information, refer to the Managing compliance with Enterprise Contract RHTAP guide.
- For full upstream Enterprise Contract documentation, refer to the community-run Enterprise Contract Documentation website.
1.2. CLI used with RHTPA
Syft
Syft is a CLI tool for generating Software Bill of Materials (SBOMs) for container images or your local file systems. It provides detailed information about packages, libraries, and dependencies of your software or file systems. Transparency on the software composition helps you secure your software supply chain and manage vulnerabilities.
Syft is distributed as a standalone container image through Red Hat Ecosystem Catalog. The container image is available for AMD64 architecture on Linux.
- To download the Syft image, view the Get this image instructions.
- To use Syft on architectures other than AMD64, install the upstream version of Syft.
- To create SBOMs with Syft, refer to Creating a software bill of materials manifest file.
- To inspect and manage SBOMs, refer to Inspecting your SBOM using Red Hat Trusted Profile Analyzer.
1.3. CLI used with RHACS
roxctl
roxctl is a CLI tool that performs comprehensive security checks. This tool is available to RHTAP users through RHACS. RHTAP pipelines can run three roxctl tasks: roxctl can scan your container images for vulnerabilities and check the build-time violations of your security policies in container images and YAML deployment files.
-
To learn more about
roxctltasks in the RHTAP pipeline runs, refer to Red Hat Advanced Cluster Security tasks. -
To install the
roxctlbinary, refer to the roxctl CLI guide in the RHACS docs.
Chapter 2. Architectures
RHTAP standalone CLIs are available for these architectures:
| Architectures | Cosign, Rekor, EC, roxctl | Syft |
|---|---|---|
| Linux | ||
| x86_64 | yes | yes |
| arm64 | yes | |
| ppc64le | yes | |
| s390x | yes | |
| MacOS | ||
| x86_64 | yes | |
| arm64 | yes | |
| Windows | ||
| x86_64 | yes | |
To use Syft on architectures other than x86_64 on Linux, install the upstream version of Syft.
Revised on 2024-09-10 22:08:53 UTC
