Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Administration Guide

Red Hat Trusted Profile Analyzer 2

General administration for the Trusted Profile Analyzer service

Red Hat Trusted Documentation Team

Abstract

This Administration Guide gives System Administrators guidance on how to maintain the Trusted Profile Analyzer service running on Red Hat platforms.

Preface
Copy link

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Administration Guide! This guide is intended for administrators and DevSecOps teams responsible for managing software supply chain security using Red Hat Trusted Profile Analyzer.

Red Hat Trusted Profile Analyzer (RHTPA) is a product within the Red Hat Trusted Software Supply Chain suite that helps organizations manage their software supply chain security and risk management. It empowers DevSecOps teams to assess risk across custom, third-party, and open source components without slowing development or increasing operational complexity. The Trusted Profile Analyzer service gives you a centralized, unified view of your application’s security profile, also called a Single pane of glass (SPOG) view. This SPOG view is powered by underlying RESTful application programming interfaces (APIs) and provides the basis for the RHTPA web console and notification services.

Exhort is the Trusted Profile Analyzer backend endpoint. It receives API requests to retrieve analysis data, including package dependencies and vulnerabilities. The Red Hat Dependency Analytics (RHDA) integrated development environment (IDE) plugin uses this endpoint to generate vulnerability reports within the IDE framework.

The Trusted Profile Analyzer service operates by aggregating, managing, and analyzing the following critical security documentation:

  • Software Bill of Materials (SBOMs): Stores, indexes, and queries SBOMs for all your custom, third-party, and open source software components, creating a shared system of record. It supports formats like CycloneDX and SPDX.
  • Vulnerability Exploitability eXchange (VEX) : A security advisory issued by a software provider for specific vulnerabilities within a product.
  • Common Vulnerabilities and Exposures (CVE) : Indicates a product’s exposure to attacks and malicious activities by giving it a score between 1 to 10, where 1 is the lowest exposure level and 10 is the highest exposure level.

The Trusted Profile Analyzer service can regularly import advisory and vulnerability data, and uses this data to cross-references data from SBOM documents. This helps teams interpret the impact by using metrics, such as the Common Vulnerability Scoring System (CVSS), to guide their remediation efforts.

Chapter 2. Data importers
Copy link

A Red Hat Trusted Profile Analyzer data importer lets you fetch advisory, vulnerability, and SBOM data from multiple remote sources efficiently for analysis. Then RHTPA uses this data to give you more insights when analyzing your Software Bill of Materials (SBOM) and Common Security Advisory Framework (CSAF) documents.

Available importers

By default, RHTPA comes configured with the following importer sources:

  • Red Hat CSAFs
  • Red Hat SBOMs
  • Common Vulnerabilities and Exposures (CVE) list version 5
  • GitHub advisory database
  • Quay

By default, the Red Hat CSAF, Red Hat SBOM, and Quay data importers are disabled. These importers can run a long time before finishing, but you can enable any of these data importers at anytime. The Quay data importer scans the Quay registry looking for existing SBOMs for RHTPA to analyze.

Scheduling
By default, the set schedule for each importer source to run is 1 day. This means an enabled importer source runs once a day. After a successful initial running of the importer, the next scheduled run is 24 hours from the time the importer job finished.
Computing resources

Computing resources, and setting limitations on those resources in Red Hat OpenShift Container Platform is important to ensure the application runs stable and performs as expected. The default resource request is 1 CPU and 8 GB of RAM, for both the importer and API server deployments. There are no resource limits by default.

You can either reduce the resource requirements, at the cost of stability, or give more resources to the cluster, supporting the workload. Pods can fail to start, or become stuck in a "Pending" state, if computing requirements are not adequate to support the workload.

Create a Software Bill of Materials (SBOM) manifest file to provide Red Hat Trusted Profile Analyzer (RHTPA) with the package data needed for security analysis. RHTPA can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.

Important

Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4, 1.5, and 1.6, along with SPDX version 2.2, and 2.3.

Important

The Syft binary is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.

Prerequisites

Procedure

  1. To create an SBOM by using a container image.

    CycloneDX format
    syft IMAGE_PATH -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap 
    $ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap
    SPDX format
    syft IMAGE_PATH -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap 
    $ syft registry:example.io/hello-world:latest -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap
    Note

    Syft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.

  2. To create an SBOM by scanning the local file system.

    CycloneDX format
    syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5
syft file: FILE_PATH -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap 
    $ syft dir:. -o cyclonedx-json@1.5
$ syft file:/example-binary -o cyclonedx-json@1.5
    Copy to Clipboard Toggle word wrap
    SPDX format
    syft dir: DIRECTORY_PATH -o spdx-json@2.3
syft file: FILE_PATH -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap 
    $ syft dir:. -o spdx-json@2.3
$ syft file:/example-binary -o spdx-json@2.3
    Copy to Clipboard Toggle word wrap

You can scan software bill of materials (SBOM) documents using the Red Hat Trusted Profile Analyzer service on Hybrid Cloud Console or your own RHTPA instance. The Trusted Profile Analyzer service can analyze a standard SBOM, Artificial Intelligence Bill of Materials (AIBOM) containing language models, and Cryptographic Bill of Materials (CBOM) containing keys, certificates, and libraries.

Important

Red Hat does not retain a copy of your scanned SBOM documents.

Prerequisites

  • An existing CycloneDX 1.3, 1.4, 1.5, 1.6 or Software Package Data Exchange (SPDX) 2.2, 2.3 document files.

Procedure

  1. Open a web browser.
  2. Go to the Trusted Profile Analyzer console URL for your running RHTPA instance.
  3. Log in to the Trusted Profile Analyzer console with your credentials.
  4. Click SBOMs from the navigation menu.
  5. Click the Generate vulnerability report button.
  6. You can drag and drop your SBOM file directly to this page, or click the Browse Files button, then choose the SBOM file you want to scan.
  7. After RHTPA scans the SBOM file, you get a summary of the analysis, and any specific vulnerability information for the packages included in your SBOM file.

You can use Red Hat Trusted Profile Analyzer (RHTPA) service to find information about Software Bill of Materials (SBOM) documents, software license expressions, Common Vulnerabilities and Exposures (CVE), and advisories for Red Hat products and software packages.

Trusted Profile Analyzer searches imported data for latest vulnerability details and applies current SPDX specifications to define license expressions within SBOM documents.

Prerequisites

  • A running RHTPA service hosted on Red Hat Enterprise Linux or Red Hat OpenShift.

Procedure

  1. Open a web browser, and log in to the RHTPA console.
  2. From the home page, click Search from the navigational menu.
  3. In the search field enter your search query.
  4. On the search results page, you can view SBOM documents, software packages, vulnerabilities, and advisories related to your search query. You can also filter these results by date range, SBOM format, and license expression.

Red Hat Trusted Profile Analyzer ({acroynm}) can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM documents. You can download and view license information from uploaded Software Bill of Materials (SBOM) documents, in CycloneDX or SPDX format. To learn more about the differences between the two licenses formats for CycloneDX and SPDX, see the additional resources section.

Prerequisites

  • Installation of {acroynm} service on Red Hat OpenShift or Red Hat Enterprise Linux.
  • An uploaded CycloneDX 1.3, 1.4, 1.5, and 1.6 or SPDX 2.2, 2.3 document.

Procedure

  1. Open a web browser, and log in to the {acroynm} console.
  2. From the home page, click Search from the navigational sidebar.
  3. Find your SBOM from the list.
  4. Click the options menu icon, and click Download License Export.
  5. Extract the license information from the downloaded .zip file.

  6. Open the comma-separated values (CSV) file to view it.

    Note

    The license reference CSV file only applies to SPDX-formatted SBOMs.

Labels can help you organize, and find your SBOM and advisory information quickly. You can manage your custom labels for Software Bill of Materials (SBOM) documents and advisories by editing the SBOM and advisory information within Red Hat Trusted Profile Analyzer ({acroynm}).

Prerequisites

  • Installation of the RHTPA service.
  • A web browser.
  • User credentials to access to the RHTPA console.

Procedure

  1. From the RHTPA console home page, click either SBOMs or Advisories on the navigation menu.
  2. On the row for the SBOM or advisory you want to edit labels for, click the overflow menu at the end of the row, and click Edit labels.

  3. On the Edit labels page, you can add or remove labels.

    1. To add a new label, start typing the label name in the Label field, and click the Add button.
    2. To remove a label, look under the Labels of SBOM section, click the X on the label you want to remove.
  4. When finished editing the labels for SBOMs or advisories, click the Save button.

You can delete Software Bill of Material (SBOM) documents and advisories stored in the Red Hat Trusted Profile Analyzer (RHTPA) service. This procedure goes step-by-step on how to delete an SBOM document or advisory using the RHTPA web-based console.

Prerequisites

  • A running RHTPA service hosted on Red Hat Enterprise Linux or Red Hat OpenShift.
  • Access to the RHTPA console.

Procedure

  1. Open a web browser, and log in to the RHTPA console.
  2. From the home page, click SBOM or Advisories from the navigational menu.
  3. Find your SBOM or advisory in the list, click the options menu icon, and click Delete.
  4. A confirmation dialog is given, click the Delete button.
  5. Verify that the SBOM or advisory no longer appears in the list.

Chapter 9. Frequently asked questions
Copy link

Do you have questions about Red Hat Trusted Profile Analyzer (RHTPA)? Here is a collection of common questions and their answers to help you understand more about Red Hat’s Trusted Profile Analyzer product and service.

Q:

What is Red Hat Trusted Profile Analyzer service?

A:

Red Hat Trusted Profile Analyzer service provides an application risk profile by analyzing your application’s SBOM for security and vulnerability risks of Open Source Software (OSS) dependencies. The RHTPA service has vulnerability information from CVE aggregators and Red Hat Security Advisories.

The Trusted Profile Analyzer service is a hosted instance on Red Hat’s Hybrid Cloud Console. You can use this service, free of charge, to assess the risk profile of your SBOM by uploading it directly to the service. Red Hat does not keep a copy of your SBOM.

Q:

What are the benefits of using Red Hat Trusted Profile Analyzer?

A:
  • Enhanced transparency throughout the software supply chain.
  • Early detection and remediation of vulnerabilities.
  • Centralized management of SBOMs, VEX, and CVE data.
  • Reduced risk of introducing security flaws into production environments.
  • Improved compliance with industry standards for software security.
Q:

What telemetry data does Red Hat Trusted Profile Analyzer collect?

A:

Trusted Profile Anlyzer collects application telemetry data to help measure performance, and to identify errors with RHTPA. Along with application telemetry, RHTPA collects SRE metrics, and system metrics. For more information about Red Hat’s telemetry data collection, see our notice on the Red Hat Developers website.

Q:

Who should use Red Hat Trusted Profile Analyzer?

A:

Red Hat Trusted Profile Analyzer is ideal for organizations and teams involved in software development, security, and operations (DevSecOps) who need to manage and secure their software supply chain, especially software that uses open source and third-party components.

Q:

What problems does Trusted Profile Analyzer solve?

A:

Red Hat Trusted Profile Analyzer addresses the need for transparency and security in software supply chains by enabling organizations to:

  • Manage SBOMs and vulnerability remediation information efficiently.
  • Stay informed about vulnerabilities in open source software, and proprietary codebases across software inventories.
  • Eliminate vulnerabilities early in the development process.
  • Analyze and expose license information.
  • Ensure regulatory compliance.
Q:

How does Trusted Profile Analyzer help with SBOM management and analysis?

A:

Trusted Profile Analyzer provides storage and management for SBOMs creating a software inventory, allowing organizations to support a comprehensive record of software components from in-house applications, and third party vendors. Trusted Profile Analyzer supports cross-referencing components within an SBOMs with CVEs and Common Security Advisory Framework (CSAF) VEX security advisories, and providing an application risk profile ensuring transparency in the software supply chain.

Q:

How does Red Hat use Trusted Profile Analyzer?

A:

Trusted Profile Analyzer is an important part of Red Hat’s internal software supply chain. It provides Red Hat with a source of truth for SBOM storage, risk profiling, and analysis.

Q:

What types of SBOMs can RHTPA analyze?

A:

Trusted Profile Analyzer can analyze SBOMs created directly from source code, generated during the build process, or generated by the analysis of artifacts, such as containers and packages.

Q:

What SBOM formats does RHTPA accept?

A:

Trusted Profile Analyzer supports SBOMs formatted in CycloneDX 1.6 or lower, and SPDX 2.3 or lower.

Q:

How does it integrate into the development workflow?

A:

Integrating RHTPA into your CI/CD pipeline is as easy as adding a task for SBOM generation, and upload it to the Trusted Profile Analyzer service.

Q:

What types of deployment are supported?

A:

You can deploy RHTPA on Red Hat Enterprise Linux or Red Hat Openshift Container Platform. See the RHTPA Deployment Guide for more details.

Q:

Where can you learn more or get started?

A:

Visit the Red Hat Trusted Profile Analyzer overview page on Red Hat Developers for more information, documentation, and resources to help you get started.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top