Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.Chapter 1. Understanding RHTAP's foundations
Discover the robust foundation of Red Hat Trusted Application Pipeline (RHTAP), a framework designed to revolutionize cybersecurity practices across the software development lifecycle (SDLC). With RHTAP, you embark on a journey that transcends traditional security measures, integrating cutting-edge solutions and a DevSecOps CI/CD framework from inception to deployment. This proactive strategy accelerates developer onboarding, process acceleration, and the embedding of security from the beginning.
1.1. Secure CI/CD framework
Central to RHTAP is its pioneering secure CI/CD framework, designed to uphold the highest standards in software development. By aligning with the Supply-chain Levels for Software Artifacts (SLSA) level 3, RHTAP ensures that every line of code contributes to a fortress of security, significantly enhancing early vulnerability detection and mitigation.
1.2. Deep Dive into RHTAP's security tools
Ensuring the security of software throughout its development is essential for mitigating potential vulnerabilities. RHTAP leverages a powerful suite of tools designed to bolster your security measures. Let’s explore how RHTAP utilizes its components to provide a robust defense against security threats.
Red Hat Trusted Artifact Signer (RHTAS)
- Red Hat Trusted Artifact Signer focuses on enhancing software integrity through signature and attestation mechanisms. By ensuring that every piece of code and every artifact is signed and attested, RHTAS provides a verifiable trust chain that confirms the authenticity and security of the software components being used.
Red Hat Trusted Profile Analyzer (RHTPA)
- Red Hat Trusted Profile Analyzer deals with the generation and management of Software Bills of Materials (SBOMs). SBOMs are critical for maintaining transparency and compliance, as they provide a detailed list of all components, libraries, and dependencies included in a software product. RHTPA automates the creation of SBOMs, ensuring that stakeholders have accurate and up-to-date information on the software’s composition.
Red Hat Advanced Cluster Security (RHACS)
- Red Hat Advanced Cluster Security strengthens your deployments by scanning your artifacts for vulnerabilities. This proactive approach helps identify and mitigate security issues early in the development process, ensuring that your applications are fortified from inception to deployment.
1.3. Essential platforms and tools
RHTAP integrates with various platforms and tools that enhance the development workflow and support secure, efficient software delivery. These tools provide the infrastructure and automation necessary for a seamless development experience.
Red Hat Developer Hub (RHDH)
- Red Hat Developer Hub serves as a self-service portal for developers. It streamlines the onboarding process and offers access to a wealth of resources and tools necessary for secure software development. This platform encourages best practices and facilitates the integration of security measures right from the start of the development process.
Quay
- Quay provides a secure repository for your container images. It acts as a reliable harbor for your containerized applications, continuously scanning for vulnerabilities and ensuring that your images remain secure throughout their lifecycle.
OpenShift GitOps
- OpenShift GitOps manages Kubernetes deployments and their infrastructure using Git repositories. By maintaining your infrastructure and application configurations in Git, OpenShift GitOps ensures consistent and automated deployment practices, reducing manual errors and enhancing deployment efficiency.
OpenShift Pipelines
- OpenShift Pipelines enables automation and provides visibility for continuous integration and continuous delivery (CI/CD) of software. By automating your build, test, and deployment processes, OpenShift Pipelines ensures a streamlined and efficient workflow, accelerating your path to production while maintaining high-quality standards.
1.4. Key Security Practices
RHTAP incorporates these tools to address specific security concerns effectively:
- Vulnerability Scanning: With each pull request, RHTAP conducts thorough scans with your CVE scanner of choice, such as Advanced Cluster Security, to identify and address vulnerabilities at the earliest possible stage.
- SBOM Generation: RHTAP’s automated generation of SBOMs plays a vital role in maintaining software transparency and compliance. By providing a comprehensive inventory of software components, organizations can better manage and secure their software supply chain.
- Container Image Security: RHTAP verifies that container images comply with SLSA (Supply-chain Levels for Software Artifacts) guidelines. This is achieved through an enterprise contract that includes over 41 rules, ensuring that the container images used in the development process meet stringent security standards.
1.5. Choosing your CI/CD tool
When setting up your CI/CD pipelines with RHTAP, you have the flexibility to choose between Tekton and Jenkins, depending on your specific requirements and preferences.
Tekton
- Tekton provides a cloud-native solution for automating the build, test, and deployment processes of your software projects. By managing your CI/CD workflows with a Kubernetes-centric approach, Tekton ensures seamless integration and consistent application delivery. Its declarative pipelines as code allow for flexibility and scalability, enhancing the efficiency and reliability of your development pipeline. With Tekton, you benefit from robust automation and clear visibility into your CI/CD processes, making it an ideal choice for modern cloud-native environments.
Jenkins
- Jenkins automates the build, test, and deployment processes of your software projects. By managing your CI/CD workflows, Jenkins ensures consistent and reliable application delivery. Its extensive plugin ecosystem offers flexibility and integration with various tools and technologies, enhancing the efficiency and effectiveness of your development pipeline.
1.6. Leveraging Ready-to-Use Software Templates
RHTAP offers ready-to-use software templates that seamlessly integrate the powerful security tools previously discussed directly into the development workflow, thus allowing developers to concentrate on innovation while minimizing security related distractions. These ready-to-use software templates are fully customizable, ensuring they meet your organization’s unique requirements seamlessly.
1.7. The path forward
Embracing a DevSecOps mindset and utilizing RHTAP promotes a secure and efficient development environment. This ongoing journey of assessment and elevation equips organizations to address both current and future cybersecurity challenges effectively.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}