Red Hat SummitGetting Started with Red Hat Trusted Application Pipeline
Learn how to get started with Red Hat Trusted Application Pipeline.
Abstract
Preface
With RHTAP, you embark on a journey that transcends traditional security measures, integrating cutting-edge solutions and a DevSecOps CI/CD framework from inception to deployment. This proactive strategy accelerates developer onboarding, process acceleration, and the embedding of security from the beginning.
Chapter 1. Development workflow
The development workflow involves creating, updating, securing, and deploying applications. It also allows integration with various repositories, container registries, and CI/CD tools for flexibility.
| Step | Description |
|---|---|
| Install RHTAP | Install RHTAP to enable secure and efficient DevSecOps workflows. |
| Create an application | Use pre-built templates to create an application. These templates are customizable and include pipelines and configurations to simplify the development process. When creating an application you can choose:
Note If you select Bitbucket, GitLab CI, or Jenkins CI during application setup, you must configure these tools to trigger pipeline runs. |
| Update an application | Push updates to your application code. The pipeline automatically processes and secures the changes. |
| View security insights | Pipeline runs provide a visual representation of all tasks, offering insights into security checks and compliance. |
| Deploy an application | Promote your application from Development to Staging and then to Production environments. |
| (Optional) Customize templates and pipelines | Modify templates and pipelines to meet your organization’s specific requirements. |
Next step
- Install Red Hat Trusted Application Pipeline. If you have already installed Red Hat Trusted Application Pipeline, build an application with sample software templates.
Chapter 2. Building an application with sample software templates
RHTAP’s ready-to-use software templates include default integrations with key technologies to secure and optimize your development experience:
- ACS (Advanced Cluster Security): Identifies and mitigates vulnerabilities early in the development process, strengthening your application from inception to deployment.
- Quay: Serves as a secure harbor for your container images, continuously scanning for vulnerabilities to keep your containerized applications safe.
- OpenShift Pipelines: Automates your build and deployment processes, providing a CI/CD framework that integrates seamlessly into your SDLC and accelerates your path to production.
- OpenShift GitOps: Maintains your infrastructure and application configurations in Git repositories, ensuring consistent and automated deployment across all environments.
Additionally, RHTAP supports the development and containerization of applications in popular programming languages such as Java, Python, Node.js, and Go.
After installing RHTAP, cluster administrators can customize the Red Hat Developer Hub portal with specific templates and enhancements. However, before customization, cluster administrators should familiarize themselves with the available software and pipeline templates through this guide. Understanding these templates is key to grasping how RHTAP supports a secure supply chain, laying the groundwork for any subsequent customization.
2.1. Setting the stage
Ensure you have successfully installed RHTAP.
- If you integrated Jenkins during the installation of RHTAP, you must configure Jenkins with the appropriate credentials before using secure software templates.
If you integrated Bitbucket during the installation of RHTAP, ensure the following prerequisites are met, as the secure software templates require them to create a source repository at the correct location:
- Create a project in a Bitbucket workspace.
- Create an app password in Bitbucket.
- Log in to Red Hat Developer Hub (RHDH) using the link provided by RHTAP installer at the end of the installation process.
2.2. Building an application
On the RHDH portal, select Create, and then select a suitable template. For example, Quarkus Java - Trusted Application Pipeline.
Building an application or microservice for your developers in RHDH using the templates offered by RHTAP involves three main steps:
- Provide application information
- Provide application repository information
- Provide deployment information
Providing application information
-
In the Name field, provide an application name. Your name may incorporate lowercase letters (a-z), numbers (0-9), and dashes (-), but it must start and end with a lowercase alphanumeric character. Examples of valid names are
my-nameorabc-123, and the length should range from 1 to 63 characters. -
From the Owner dropdown list, select an appropriate RHDH component owner for this application. The default value is
user:guest, which appears if no specific owner is registered in the system. If you have not registered an owner, retain the defaultuser:guestselection. You can replaceguestwith your username to personalize ownership of the application. - Select Next. The system displays the Application Repository Information form.
Providing application repository information
From the Host Type dropdown list, select a repository host type:
- GitHub
- GitLab
- Bitbucket
- In the Repository Name field, enter a repository name using A-Z, a-z, 0-9, underscore (_), and dashes (-). The system uses this name for the repository it creates on the host repository server.
- In the Repository Owner field, specify the username, organization name, or project within an organization that owns the Git repository. For example, in Bitbucket, you can find your username by navigating to Personal Bitbucket settings.
In the Repository Server field, specify the repository server:
If you select the Host type Description GitHub
The field is pre-populated with
github.com. However, you can enter your on-premises host URL without theHTTPprotocol and without the.gitextension. For example,github-github.apps.cluster-ljg9z.sandbox219.opentlc.com.GitLab
The field is pre-populated with
gitlab.com. However, you can enter your on-premises host URL without theHTTPprotocol and without the.gitextension. For example,gitlab-gitlab.apps.cluster-ljg9z.sandbox219.opentlc.com.Bitbucket
The field is pre-populated with
bitbucket.org.-
In the Repository Default Branch field, specify the default branch for your repository. The default is
main, but you can specify a different branch name. For Bitbucket only:
- In the Workspace field, enter the name of your workspace that contains your project.
- In the Project field, enter the project key. The project key is located next to the project name in Bitbucket.
From the CI Provider dropdown list, select the continuous integration (CI) tool that the system uses to build, test, and deploy the application:
For Host type Available CI providers Bitbucket
- Jenkins (SLSA 2)
- Tekton (SLSA 3)
- Azure Pipelines (SLSA2) (Technology Preview)
GitHub
- Jenkins (SLSA 2)
- Github Actions (SLSA 2) (Technology Preview)
- Tekton (SLSA 3)
- Azure Pipelines (SLSA2) (Technology Preview)
GitLab
- Jenkins (SLSA 2)
- GitLab CI (SLSA 2)
- Tekton (SLSA 3)
Important- If you use Bitbucket as your source repository with Tekton CI, you must add a webhook in Bitbucket.
- If you use GitLab as your source repository with Tekton CI, you must add a webhook in GitLab.
- If you use GitHub Actions, you must configure the required secrets in GitHub.
- If you use GitLab CI, you must configure the required secrets in GitLab.
- If you use Azure Pipelines, you must configure the required secrets in Azure.
- If you use Jenkins, you must add your application to Jenkins.
- If in step 7 you chose Azure Pipelines as your CI provider, the UI will display the Azure Project field. Enter the name of the Azure project where RHTAP runs the pipeline.
- Select Next. The system displays the Deployment Information form.
Providing deployment information
-
In the Image Registry field, specify the on-premises image registry URL without the
HTTPprotocol. Support registries include Quay (for example,quay.io) and JFrog Artifactory (for example,tssc.jfrog.io). - In the Image Organization field, enter the image organization for the image registry you provided in the Step 1.
In the Image Name field, enter an image name using only lowercase letters, digits, and separators. Separators include a period (.), up to two underscores (_), or one or more hyphens (-). For example,
my-app_1.2.NoteYou must ensure that the name does not start or end with a separator.
In the Deployment Namespace field, enter the prefix for the namespaces or cluster where you intend to deploy your application. The system creates the namespaces as
rhtap-app-development,rhtap-app-stage, andrhtap-app-prod.Noterhtap-appis the default deployment namespace prefix. Cluster administrators can customize this prefix. For instructions on how to customize the default deployment namespace prefix, refer to Customizing sample software templates.- Select Review to review all the information that you added.
Select Create. RHTAP initiates automated tasks to set up your application’s infrastructure and deployment pipeline, including:
- Repository Creation and Configuration: Creates a new repository in your specified hosting service, including the GitOps repository and the source repository.
- Argo CD Integration: Creates and configures Argo CD resources to orchestrate the deployment of your application across specified namespaces.
- Namespace Creation: Generates namespaces for development, staging, and production environments.
- Pipeline Definition: Adds a pipeline definition, providing a "Pipelines as Code" model for building, testing, and deploying your application.
2.3. Reviewing application
After creating an application using RHTAP, you can review its components, source code, GitOps configurations, and associated documentation.
Quick analysis
For a quick review, click the links displayed on the "Run of …" page. These links provide access to important resources such as:
- Source repositories
- GitOps repositories
Comprehensive analysis
For a detailed analysis, follow these steps:
- Select Open Component in catalog or navigate to the Catalog, where your newly created application is listed.
Examining source code:
- Go to the Overview tab and select View Source to open the repository containing your application’s source code.
Reviewing deployment history:
- In the Overview tab, navigate to the Deployment summary section to review the application’s deployment across namespaces. Select any Argo CD app to view deployment details in Argo CD, or click a commit ID from the Revision column to review changes in GitLab or GitHub.
Reviewing GitOps repository:
- On the Overview tab, use the Kind dropdown to select Resource and find the relevant GitOps repository.
- Select View Source to examine the GitOps configurations directly. Alternatively, for a broader overview including technical documentation, select View TechDocs from the Catalog section and then choose the GitOps repository under Home > Repository.
Reviewing documentation:
- From the Overview tab, select View Tech Docs. This opens the technical documentation for your application, providing detailed insights into its features, configuration steps, and usage.
2.4. (Optional) Unregistering application
This process removes the application’s source and GitOps repository from your catalog and resource view, essentially hiding it. The application remains functional within the cluster. Since the underlying source and GitOps repositories are not removed, you can re-register unregistered applications at any time.
- Navigate to the Catalog and select the component that you want to unregister.
Select vertical three-dot menu associated with the component, and then select Unregister entity. The system displays a confirmation dialog box.
- Select Unregister Location. This removes the application’s Git repository from your catalog view.
- Navigate to the Catalog, from the Kind drop down list, select Resource, and then unregister the corresponding GitOps resource.
Remove the application from the cluster, by running the following command:
oc delete application your-app-name-app-of-apps -n rhtap 1- 1
- Replace
rhtapwith your namespace if different, andyour-app-namewith the name of your application.
Next step
Chapter 3. Updating code and viewing security insights
When you create a component with RHTAP, the system triggers a build pipeline. After the build pipeline completes, it deploys the latest version of the application to the development namespace. By default, the development namespace is rhtap-app-development.
To view the pipeline run:
- Open RHTAP and go to the Catalog.
- Select the modified component and go to the CI tab to view pipeline run details.
Optionally, use the following tabs for additional insights:
- CD: View deployment data managed by ArgoCD.
- Topology: Visualize your application deployment in the development namespace.
In some cases, the pipeline run might not appear immediately after the component is built. If you do not see a pipeline run after one minute, update the component’s source code to trigger a new pipeline run.
3.1. Updating source code
- Go to the Catalog and select the component you want to update.
- On the Overview tab, select View Source to open the project in GitLab or GitHub.
-
Optionally, select View Tech Docs to open the project’s documentation. The source is located in the
docs/directory of your repository. Updates to this directory trigger a pipeline run to refresh the Tech Docs. Make the necessary changes to your code:
- Clone your repository.
-
Modify your files. For example, update technical documentation or edit
index.html. - Commit and push your changes.
- You can also use the GitLab or GitHub UI to make code changes directly in your browser.
For GitLab and Bitbucket users: To trigger pipeline runs automatically after code updates, you must set up webhooks and secrets in GitLab or Bitbucket.
- For instructions on setting up webhooks in GitLab and Bitbucket, see Configuring webhooks in GitLab and Bitbucket.
- For instructions on setting up secrets in GitLab, see: Configuring GitLab CI.
- For instructions on setting up secrets in Bitbucket, see: Configuring Jenkins.
3.2. Viewing security insights
The system automatically triggers an on-push pipeline when you update your code and push changes. By default, RHTAP uses a standard build pipeline for containerized deployment meeting Software Artifacts (SLSA) level 3 specifications.
Figure 3.1. A successful pipeline run
The pipeline run performs the following tasks:
-
init: Configures rebuild flags, authentication, and creates an image repository secret. -
clone-repository: Clones the repository to prepare for the build. build-container:- Creates a container image from the source code using Buildah and pushes it to a registry.
- Generates a Software Bill of Materials (SBOM) to document all components and dependencies.
- Publishes security artifacts like image signatures and attestations.
-
update-deployment: Updates the GitOps repository to deploy the new image. -
acstasks: Runs security checks to ensure compliance with policies. -
show-sbom: Lists all software components and libraries for transparency. -
summary: Cleans up resources and provides a summary of the pipeline run.
Click any task in a pipeline run to view logs.
3.2.1. Red Hat Advanced Cluster Security tasks
RHACS tasks in the pipeline succeed only if you have installed and configured RHACS during the RHTAP installation process. If RHACS is not installed or configured, pipeline skips these tasks.
- For detailed instructions on installing RHACS, refer Installing Red Hat Advanced Cluster Security for Kubernetes.
- If you did not install and configure RHACS during the RHTAP installation process, refer Configure ACS.
Figure 3.2. The RHACS tasks in the pipeline run
The pipeline includes three RHACS tasks that use roxctl to perform security checks:
-
roxctl image scan- Identifies components and vulnerabilities in the image and returns results in the JSON format. -
roxctl image check- Verifies build-time security violations in the image. For example, policy such as 'No log4j allowed' or restrictions against including curl, wget, or package managers in production images. -
roxctl deployment check- Checks for build-time and deploy-time security violations in the YAML deployment files.
Visualizing RHACS reports
In RHDH, under the CI tab, the Pipeline Runs section displays detailed task reports in a structured pop-up interface. The pop-up includes:
- Red Hat Advanced Cluster Security (conditionally shown on the availability of RHACS tasks): Displays individual tabs for all the RHACS tasks, summarizing identified security issues.
-
Others: Provides results from the
PipelineRun, for example, IMAGE_URL, andIMAGE_DIGEST. This section displays only if multiple sections (for example, Enterprise Contract or RHACS) are available in the pop-up.
To view RHACS reports:
- Select Catalog and select the component you want to review.
Select the CI tab > Actions column > View output icon and review the detailed RHACS reports for the selected component.
Figure 3.3. The detailed RHACS reports
NoteIf you have the required permissions, you can manage vulnerabilities, policies, and review detailed vulnerability reports for a specific image in the RHACS console. For more information, see Viewing the dashboard.
Interpreting RHACS reports
Reports from RHACS tasks provide security insights that are critical for maintaining a strong security posture.
Here’s an example of interpreting roxctl image scan (Image Scan) reports. Use the same approach for roxctl image check (Image Check) and roxctl deployment check (Deployment Check) reports.
- Vulnerability Breakdown: RHACS categorize detected vulnerabilities by severity (Critical, Important, Moderate, Low), status (fixable, non-fixable), and offer a summary of the scan results. This categorization includes the total number of vulnerabilities and components analyzed, alongside specific Common Vulnerabilities and Exposures (CVEs) identified.
Details Provided: For each identified vulnerability, the report includes:
- CVE ID: A unique identifier for the vulnerability.
- Severity: The level of threat posed by the vulnerability.
- Component: The software component affected by the vulnerability.
- Component Version: The version of the affected component.
- Remediation Suggestions: Recommendations for addressing the vulnerability, including the version in which the vulnerability is fixed, if applicable.
3.2.2. Understanding SBOM
The show-sbom task creates a list of all software libraries used in the application. This helps identify vulnerabilities and assess security impacts.
Figure 3.4. The show-sbom task in the pipeline run
Viewing SBOM
Procedures
- Select Catalog and select a component.
Select the CI tab and then select the link icon for the
show-sbomtask. The system displays the SBOM task logs. Review the SBOM in your browser and search for vulnerabilities such aslog4j.Figure 3.5. The SBOM details
Downloading an SBOM in the CLI
Prerequisites
- You have installed the Cosign CLI tool.
-
The
build-containerandshow-sbomtasks ran successfully.
Procedures
-
Expand the successful pipeline run and select the
show-summarytask. Search and copy the SBOM image URL, and run the following command on your terminal.
Example cosign command
$ cosign download sbom <the-sbom-url-you-copied>
(Optional) Save the output to a file for detailed analysis:
Example cosign command
$ cosign download sbom <the-sbom-url-you-copied> > sbom.txt
Interpreting SBOMs
The SBOM includes information about each library used in your project, such as:
- The source of the library, author or publisher
- The library name
- The library version
- The license type
This information helps ensure individual libraries are safely-sourced, updated, and compliant.
Example SBOM
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
"version": 1,
"metadata": {
...
},
"components": [
{
"bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
"type": "library",
"author": "Armin Ronacher <armin.ronacher@active-4.com>",
"name": "Flask",
"version": "2.1.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/Flask@2.1.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
...
Chapter 4. Deploying application and view security insights
Deploy applications using Argo CD in OpenShift GitOps to enable continuos deployment. Argo CD uses your Git repository as a single source of truth for infrastructure configurations. Updates to the repository trigger deployments across development, staging, and production environments.
The procedures provide an example deployment workflow. Customize it to fit your organization’s requirements.
4.1. Promoting a build to a pre-production or production environment
Promote a build by updating the GitOps repository through a pull request (PR).
- In RHDH, select Catalog.
- From the Kind dropdown list, select Resource, and then select a GitOps repository.
- Open the Overview tab and select View Source to access the repository.
(Optional) Alternatively, select Catalog, open the Overview tab, and select View TechDocs.
- In the Home > Repository section, select the GitOps repository.
Clone your GitOps repository.
NoteEnsure that the local clone is up-to-date.
- Create a new branch.
-
Navigate to the
component/<app-name>/overlaysdirectory, which contains subdirectories fordevelopment,stage, andprod. Follow these steps to promote the application:
To move your application Do this From development to stage environment
-
Open th
development/deployment-patch.yamlfile and copy the container image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
stage/deployment-patch.yamlfile and replace the container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
development/deployment-patch.yamlfile to thestage/deployment-patch.yamlfile.From stage to production environment
-
Open the
stage/deployment-patch.yamlfile and copy the containers image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
prod/deployment-patch.yamlfile and replace container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
stage/deployment-patch.yamlfile to theprod/deployment-patch.yamlfile.-
Open th
- Commit and push your updates.
Create a PR to start a promotion pipeline. The pipeline validates the changes against Red Hat Enterprise Contract (Enterprise Contract) policies.
- Check the pipeline run in the CI tab of RHDH.
- Merge the PR to trigger Argo CD, which applies the changes and promotes the build to the next environment.
Verification
- Use the Topology tab in RHDH to confirm the application distribution across namespace.
- Use CD tab to view deployment details, including the status, updates, commit message (for example, Promote stage to prod), and container image changes.
4.2. Viewing security insights
The promotion pipeline includes several tasks to ensure secure and compliant deployments. The pipeline tasks include:
-
git-clone: Clones the repository into the workspace using thegit-clonetask. -
gather-deploy-images: Extracts the container images from deployment YAML files for validation. -
verify-enterprise-contract: Validates the container images using Enterprise Contract (EC) policies and Sigstore’s cosign tool. -
deploy-images: Deploys validates images to the target environment. -
download-sbom-from-url-in-attestations: Retrieves SBOMs for images by downloading OCI blobs referenced in image attestations. -
upload-sbom-to-trustification: Uploads SBOMs to Trustification using the BOMbastic API.
4.2.1. Enterprise contract task
The Enterprise Contract (EC) is a suite of tools designed to maintain software supply chain security. It helps maintain the integrity of container images by verifying that they meet defined requirements before being promoted to production. If an image does not comply with the set policies, the EC generates a report identifying the issues that must be resolved.
The Red Hat Trusted Application Pipeline build process generates a signed in-toto attestation of the build pipeline. These attestation cryptographically verify the build’s integrity. The EC then evaluates the build against defined policies, ensuring it complies with the organizational security standards.
Visualizing Red Hat Enterprise Contract (Enterprise Contract) reports
In Red Hat Developer Hub, under the CI tab, the Pipeline Runs section displays detailed compliance reports in a structured pop-up interface. The insights from Enterprise Contract compliance reports help you prioritize security and compliance tasks.
- Review policy compliance: Confirm that your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Apply filters to focus on critical issues. This approach enables a faster, more efficient review process.
Viewing Enterprise Contract reports when using Tekton as the CI provider
- Select Catalog and select the component you want to review.
- Select the CI tab, and in the Actions column, select the View output to review the detailed Enterprise Contract report for the selected component.
Figure 4.1. The EC report
Viewing Enterprise Contract reports when using other CI providers
If you use another CI provider, such as Jenkins or GitLab:
- Navigate to the build logs of the respective application.
-
Search
Step: verify-enterprise-contractto review the detailed Enterprise Contract report.
Interpreting compliance reports
EC compliance reports provide detailed insights into application security and adherence to policies. Here’s how to understand these reports:
- Policy compliance overview: Displays the checks performed, their status, (success, warning, or failure) , and messages explaining warnings or failures.
Details provided: Policy reports detail:
- Successful checks: Lists the policies that passed validation.
- Warnings and failures: Highlights policies that triggered warnings or failed checks, with explanations.
- Rule compliance: Shows how the application adheres to individual policy rules, such as source code references or attestation validations.
Using compliance insights
The insights from EC compliance reports help prioritize security and compliance tasks:
- Review policy compliance: Ensure your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Use filters in the reports to focus on critical issues, enabling a faster and more efficient review process.
Additional resources
- For more information on EC policy and configuration, refer Managing compliance with Enterprise Contract.
Revised on 2025-04-30 09:28:22 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}