Chapter 3. Frequently asked questions

Red Hat Trusted Profile Analyzer is a product within the Red Hat Trusted Software Supply Chain suite that helps organizations manage and analyze their Software Bills of Materials (SBOMs), vendor VEX (Vulnerability Exploitability eXchange), and CVE (Common Vulnerabilities and Exposures) information. It empowers security, developers and DevSecOps teams to assess risk profiles across custom, third-party, and open source software components without slowing down development or increasing operational complexity.

Red Hat’s Trusted Profile Analyzer service provides an application risk profile by analyzing your application’s SBOM for security and vulnerability risks of Open Source Software (OSS) dependencies. The RHTPA service has vulnerability information from CVE aggregators and Red Hat Security Advisories.

The Trusted Profile Analyzer service is a hosted instance on Red Hat’s Hybrid Cloud Console. You can use this service, free of charge, to assess the risk profile of your SBOM by uploading it directly to the service. Red Hat does not keep a copy of your SBOM.

Red Hat Trusted Profile Analyzer is ideal for organizations and teams involved in software development, security, and operations (DevSecOps) who need to manage and secure their software supply chain, especially software that uses open source and third-party components.

Red Hat Trusted Profile Analyzer addresses the need for transparency and security in software supply chains by enabling organizations to:

Trusted Profile Analyzer provides storage and management for SBOMs creating a software inventory, allowing organizations to support a comprehensive record of software components from in-house applications, and third party vendors. Trusted Profile Analyzer supports cross-referencing components within an SBOMs with CVEs and Common Security Advisory Framework (CSAF) VEX security advisories, and providing an application risk profile ensuring transparency in the software supply chain.

Trusted Profile Analyzer is an important part of Red Hat’s internal software supply chain. It provides Red Hat with a source of truth for SBOM storage, risk profiling, and analysis.

Trusted Profile Analyzer can analyze SBOMs created directly from source code, generated during the build process, or generated by the analysis of artifacts, such as containers and packages.

Trusted Profile Analyzer supports SBOMs formatted in CycloneDX 1.6 or lower, and SPDX 2.3 or lower.

Integrating RHTPA into your CI/CD pipeline is as easy as adding a task for SBOM generation, and upload it to the Trusted Profile Analyzer service.

You can deploy RHTPA on Red Hat Enterprise Linux or Red Hat Openshift Container Platform. See the RHTPA Deployment Guide for more details.

Visit the Red Hat Trusted Profile Analyzer overview page on Red Hat Developers for more information, documentation, and resources to help you get started.