Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.About Red Hat Trusted Application Pipeline
Learn how to secure your software development lifecycle with Red Hat Trusted Application Pipeline.
Abstract
Preface
Securing your software supply chain is critical to prevent software vulnerabilities. Red Hat Trusted Application Pipeline embeds security throughout the software development lifecycle (SDLC), enabling teams to innovate confidently while adhering to the highest security standards.
Chapter 1. Overview
Red Hat Trusted Application Pipeline RHTAP is a DevSecOps framework that integrates security from project inception to production. It reduces security risks in continuous integration/continuous delivery (CI/CD) pipelines by embedding security checks, ensuring artifact integrity, and enabling compliance with standards such as Supply chain Levels for Software Artifacts (SLSA).
1.1. Key features
- Ready-to-use templates: Start project quickly with customizable templates that include established security practices. Reduce setup time and focus on delivering secure software sooner.
- Secure CI/CD pipelines: Build, test, and deploy container images securely using pre-configured pipelines integrated with your Git repository. Apply security measures at every stage to reduce risks before code reaches production.
- Integrated security checks: Detect and address potential vulnerabilities with detailed insights to help understand the potential threats.
- SBOM management: Automatically generate a Software Bill of Materials (SBOM) for each pipeline run. Sign attestations and maintain a clear record of component origins, ensuring traceability and compliance throughout the software life cycle.
- Tamper-proof artifact signing: Apply cryptographic signatures to code submissions and related artifacts. Maintain an immutable log of build and deployment activities to preserve trust and integrity.
- Compliance and policy enforcement: Comply with standards such as Supply chain Levels for Software Artifacts (SLSA) Level 3 and enterprise requirements. Configure approval gates, run vulnerability scans, and enforce policies so only verified, compliant artifacts move forward.
1.2. Integrated technologies
RHTAP integrates with industry-leading platforms and tools:
| Component or Technology | Description |
|---|---|
| Red Hat Developer Hub (RHDH) | A self-service portal that streamlines development and integrates security best practices from the get-go. |
| Red Hat Trusted Artifact Signer (RHTAS) | Enhances software integrity through signature and attestation, ensuring all artifacts are secure and authentic. |
| Red Hat Trusted Profile Analyzer (RHTPA) | Automates the creation and management of SBOMs, providing transparency and compliance in your software supply chain. |
| Advanced Cluster Security (ACS) | Automates the scanning of artifacts for vulnerabilities. |
| OpenShift GitOps | Manages Kubernetes deployments and infrastructure using Git repositories, ensuring consistent, automated, and secure deployment practices. |
| OpenShift Pipelines | Automates the CI/CD processes with visibility and control over build, test, and deployment workflows. |
| Argo CD | Automates application deployment and lifecycle management, ensuring consistent versions of app definitions, configurations, and environments. |
1.3. Configuration options
RHTAP allows flexibility in CI/CD management, source repositories, and artifact registries:
| Category | Options |
|---|---|
| CI/CD pipelines |
Note All CI pipelines except Tekton conform to SLSA Build L2. Tekton conforms to Build L3. |
| Source repositories |
|
| Artifact registries |
|
Chapter 2. Development workflow
RHTAP integrates security at every step of the DevSecOps workflow:
- Start with secure templates: Leverage pre-built templates from Red Hat Developer Hub (RHDH) for a secure foundation. These templates include code repositories, documentation, and pre-configured CI/CD pipelines.
- Develop and modify code: Modify your code after creating the application. Each code change triggers a pipeline run that automatically performs security checks, including artifact signing, vulnerability scanning, and SBOM generation.
- Managed deployment: RHTAP enforces security policies throughout the development lifecycle, from development to production, using Enterprise Contracts (EC). This ensures that only compliant builds are deployed.
Revised on 2024-12-13 16:47:21 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}