Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Administration Guide

Red Hat Trusted Profile Analyzer 2

General administration for the Trusted Profile Analyzer service

Red Hat Trusted Documentation Team

Abstract

This Administration Guide gives System Administrators guidance on how to maintain the Trusted Profile Analyzer service running on Red Hat platforms.

Preface

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Administration Guide!

Chapter 1. What are importers?

An importer in Red Hat Trusted Profile Analyzer (RHTPA) gives you the ability to fetch advisory and vulnerability data from different remote sources. Then RHTPA uses this data to give you more insights when analyzing your Software Bill of Materials (SBOM) and Common Security Advisory Framework (CSAF) documents.

Available importers

By default, RHTPA comes configured with four importer sources: Red Hat CSAFs, Red Hat SBOMs, Common Vulnerability and Exposure (CVE) list version 5, and the GitHub advisory database. We disabled the Red Hat CSAF and SBOM importers because they can run a long time before finishing, but you can enable them at anytime. We enabled the CVE list and GitHub advisory database importer sources.

Scheduling

By default, the set schedule for each importer source to run is 1 day. This means an enabled importer source runs once a day. After a successful initial running of the importer, the next scheduled run is 24 hours from the time the importer job finished.

Computing resources

Computing resources, and setting limitations on those resources in Red Hat OpenShift Container Platform is important to ensure the application runs stable and performs as expected. The default resource request is 1 CPU and 8 GB of RAM, for both the importer and API server deployments. There are no resource limits by default.

You can either reduce the resource requirements, at the cost of stability, or give more resources to the cluster, supporting the workload. Pods can fail to start, or become stuck in a "Pending" state, if computing requirements are not adequate to support the workload.

Additional resources

Chapter 2. Creating a software bill of materials manifest file

Red Hat Trusted Profile Analyzer can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.

Important

Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4, and 1.5, along with SPDX version 2.2, and 2.3.

Prerequisites

Procedure

  1. To create an SBOM by using a container image.

    CycloneDX format:

    Syntax

    Copy to Clipboard Toggle word wrap 
    syft IMAGE_PATH -o cyclonedx-json@1.5

    Example

    Copy to Clipboard Toggle word wrap 
    $ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5

    SPDX format:

    Syntax

    Copy to Clipboard Toggle word wrap 
    syft IMAGE_PATH -o spdx-json@2.3

    Example

    Copy to Clipboard Toggle word wrap 
    $ syft registry:example.io/hello-world:latest -o spdx-json@2.3

    Note

    Syft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.

  2. To create an SBOM by scanning the local file system.

    CycloneDX format:

    Syntax

    Copy to Clipboard Toggle word wrap 
    syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5
syft file: FILE_PATH -o cyclonedx-json@1.5

    Example

    Copy to Clipboard Toggle word wrap 
    $ syft dir:. -o cyclonedx-json@1.5
$ syft file:/example-binary -o cyclonedx-json@1.5

    SPDX format:

    Syntax

    Copy to Clipboard Toggle word wrap 
    syft dir: DIRECTORY_PATH -o spdx-json@2.3
syft file: FILE_PATH -o spdx-json@2.3

    Example

    Copy to Clipboard Toggle word wrap 
    $ syft dir:. -o spdx-json@2.3
$ syft file:/example-binary -o spdx-json@2.3

Additional resources

Chapter 3. Downloading and viewing license information

Red Hat’s Trusted Profile Analyzer (RHTPA) can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM documents. You can download and view license information from uploaded Software Bill of Materials (SBOM) documents, in CycloneDX or SPDX format. To learn more about the differences between the two licenses formats for CycloneDX and SPDX, see the additional resources section.

Prerequisites

  • Installation of RHTPA service on Red Hat OpenShift or Red Hat Enterprise Linux.
  • An uploaded CycloneDX 1.3, 1.4, or 1.5 or SPDX 2.2, 2.3 document.

Procedure

  1. Open a web browser, and log in to the RHTPA console.
  2. From the home page, click Search from the navigational sidebar.
  3. Find your SBOM from the list.
  4. Click the dropdown menu, and click Download License Export.
  5. Extract the license information from the downloaded .zip file.

  6. Open the comma-separated values (CSV) file to view it.

    Note

    The license reference CSV file only applies to SPDX-formatted SBOMs.

Additional resources

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.