Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Reference Guide

Red Hat Trusted Profile Analyzer 1

Additional reference information for Red Hat Trusted Profile Analyzer

Red Hat Trusted Documentation Team

Abstract

This Reference Guide gives users additional information about Red Hat's Trusted Profile Analyzer service.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright's message

Preface
Copy link

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Reference Guide!

In this guide you can find general reference material regarding the Trusted Profile Analyzer service.

Red Hat Trusted Profile Analyzer can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.

Important

Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4, and 1.5, along with SPDX version 2.2, and 2.3.

Prerequisites

Procedure

  1. To create an SBOM by using a container image.

    CycloneDX format:

    Syntax

    syft IMAGE_PATH -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap

    Example

    $ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap

    SPDX format:

    Syntax

    syft IMAGE_PATH -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap

    Example

    $ syft registry:example.io/hello-world:latest -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap

    Note

    Syft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.

  2. To create an SBOM by scanning the local file system.

    CycloneDX format:

    Syntax

    syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5
syft file: FILE_PATH -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap

    Example

    $ syft dir:. -o cyclonedx-json@1.5
$ syft file:/example-binary -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap

    SPDX format:

    Syntax

    syft dir: DIRECTORY_PATH -o spdx-json@2.3
syft file: FILE_PATH -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap

    Example

    $ syft dir:. -o spdx-json@2.3
$ syft file:/example-binary -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap

Red Hat’s Trusted Profile Analyzer (RHTPA) can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM documents. You can download and view license information from uploaded Software Bill of Materials (SBOM) documents, in CycloneDX or SPDX format. To learn more about the differences between the two licenses formats for CycloneDX and SPDX, see the additional resources section.

Prerequisites

  • Installation of RHTPA service on Red Hat OpenShift or Red Hat Enterprise Linux.
  • An uploaded CycloneDX 1.3, 1.4, or 1.5 or SPDX 2.2, 2.3 document.

Procedure

  1. Open a web browser, and log in to the RHTPA console.
  2. From the home page, click Search from the navigational sidebar.
  3. Find your SBOM from the list.
  4. Click the dropdown menu, and click Download License Export.
  5. Extract the license information from the downloaded .zip file.

  6. Open the comma-separated values (CSV) file to view it.

    Note

    The license reference CSV file only applies to SPDX-formatted SBOMs.

Chapter 3. Frequently asked questions
Copy link

Do you have questions about Red Hat’s Trusted Profile Analyzer product and service? Here is a collection of common questions and their answers to help you understand more about Red Hat’s Trusted Profile Analyzer product and service.

Q:

What is Red Hat’s Trusted Profile Analyzer?

A:

Red Hat Trusted Profile Analyzer is a product within the Red Hat Trusted Software Supply Chain suite that helps organizations manage and analyze their Software Bills of Materials (SBOMs), vendor VEX (Vulnerability Exploitability eXchange), and CVE (Common Vulnerabilities and Exposures) information. It empowers security, developers and DevSecOps teams to assess risk profiles across custom, third-party, and open source software components without slowing down development or increasing operational complexity.

Q:

What is Red Hat’s Trusted Profile Analyzer service?

A:

Red Hat’s Trusted Profile Analyzer service provides an application risk profile by analyzing your application’s SBOM for security and vulnerability risks of Open Source Software (OSS) dependencies. The RHTPA service has vulnerability information from CVE aggregators and Red Hat Security Advisories.

The Trusted Profile Analyzer service is a hosted instance on Red Hat’s Hybrid Cloud Console. You can use this service, free of charge, to assess the risk profile of your SBOM by uploading it directly to the service. Red Hat does not keep a copy of your SBOM.

Q:

What are the benefits of using Red Hat Trusted Profile Analyzer?

A:
  • Enhanced transparency throughout the software supply chain.
  • Early detection and remediation of vulnerabilities.
  • Centralized management of SBOMs, VEX, and CVE data.
  • Reduced risk of introducing security flaws into production environments.
  • Improved compliance with industry standards for software security.
Q:

Who should use Red Hat’s Trusted Profile Analyzer?

A:

Red Hat Trusted Profile Analyzer is ideal for organizations and teams involved in software development, security, and operations (DevSecOps) who need to manage and secure their software supply chain, especially software that uses open source and third-party components.

Q:

What problems does Trusted Profile Analyzer solve?

A:

Red Hat Trusted Profile Analyzer addresses the need for transparency and security in software supply chains by enabling organizations to:

  • Manage SBOMs and vulnerability remediation information efficiently.
  • Stay informed about vulnerabilities in open source software, and proprietary codebases across software inventories.
  • Eliminate vulnerabilities early in the development process.
  • Analyze and expose license information.
  • Ensure regulatory compliance.
Q:

How does Trusted Profile Analyzer help with SBOM management and analysis?

A:

Trusted Profile Analyzer provides storage and management for SBOMs creating a software inventory, allowing organizations to support a comprehensive record of software components from in-house applications, and third party vendors. Trusted Profile Analyzer supports cross-referencing components within an SBOMs with CVEs and Common Security Advisory Framework (CSAF) VEX security advisories, and providing an application risk profile ensuring transparency in the software supply chain.

Q:

How does Red Hat use Trusted Profile Analyzer?

A:

Trusted Profile Analyzer is an important part of Red Hat’s internal software supply chain. It provides Red Hat with a source of truth for SBOM storage, risk profiling, and analysis.

Q:

What types of SBOMs can RHTPA analyze?

A:

Trusted Profile Analyzer can analyze SBOMs created directly from source code, generated during the build process, or generated by the analysis of artifacts, such as containers and packages.

Q:

What SBOM formats does RHTPA accept?

A:

Trusted Profile Analyzer supports SBOMs formatted in CycloneDX 1.6 or lower, and SPDX 2.3 or lower.

Q:

How does it integrate into the development workflow?

A:

Integrating RHTPA into your CI/CD pipeline is as easy as adding a task for SBOM generation, and upload it to the Trusted Profile Analyzer service.

Q:

What types of deployment are supported?

A:

You can deploy RHTPA on Red Hat Enterprise Linux or Red Hat Openshift Container Platform. See the RHTPA Deployment Guide for more details.

Q:

Where can I learn more or get started?

A:

Visit the Red Hat Trusted Profile Analyzer overview page on Red Hat Developers for more information, documentation, and resources to help you get started.

Chapter 4. Glossary
Copy link

Common terms and definitions for Red Hat’s Trusted Profile Analyzer service.

Exhort
The backend endpoint of Trusted Profile Analyzer where all the API requests get sent, to retrieve the necessary data to analyze, including package dependencies and vulnerabilities. The Red Hat Dependency Analytics (RHDA) integrated development environment (IDE) plug-in uses this endpoint to generate vulnerability reports within the IDE framework.
Software Bill of Materials
Also known by the acronym, SBOM. A manifest of dependent software packages needed for a particular application.
Single Pane of Glass
Also known by the acronym, SPOG. The RESTful application programming interface (API) for the Trusted Profile Analyzer web dashboard, and notifications.
Vulnerability Exploitability eXchange
Also known by the acronym, VEX. A security advisory issued by a software provider for specific vulnerabilities within a product.
Common Vulnerability and Exposures
Also known by the acronym, CVE. A CVE indicates a product’s exposure to attacks and malicious activities by giving it a score 1-10, where 1 is the lowest exposure level and 10 is the highest exposure level.
Common Vulnerability Score System
Also known by the acronym CVSS. The CVSS calculates CVE scores according to specific formulas when trying to calculate CVEs in a broad range of products and networks.

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat