이 콘텐츠는 선택한 언어로 제공되지 않습니다.

About Red Hat Trusted Application Pipeline


Red Hat Trusted Application Pipeline 1.3

Learn how to secure your software development lifecycle with Red Hat Trusted Application Pipeline.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides an overview of the Red Hat Trusted Application Pipeline RHTAP, detailing its key features, technologies, and how it empowers teams to build, test, and deploy secure applications efficiently.

Preface

Securing your software supply chain is critical to prevent software vulnerabilities. Red Hat Trusted Application Pipeline embeds security throughout the software development lifecycle (SDLC), enabling teams to innovate confidently while adhering to the highest security standards.

Chapter 1. Overview

Red Hat Trusted Application Pipeline RHTAP is a DevSecOps framework that integrates security from project inception to production. It reduces security risks in continuous integration/continuous delivery (CI/CD) pipelines by embedding security checks, ensuring artifact integrity, and enabling compliance with standards such as Supply chain Levels for Software Artifacts (SLSA).

1.1. Key features

  • Ready-to-use templates: Start project quickly with customizable templates that include established security practices. Reduce setup time and focus on delivering secure software sooner.
  • Secure CI/CD pipelines: Build, test, and deploy container images securely using pre-configured pipelines integrated with your Git repository. Apply security measures at every stage to reduce risks before code reaches production.
  • Integrated security checks: Detect and address potential vulnerabilities with detailed insights to help understand the potential threats.
  • SBOM management: Automatically generate a Software Bill of Materials (SBOM) for each pipeline run. Sign attestations and maintain a clear record of component origins, ensuring traceability and compliance throughout the software life cycle.
  • Tamper-proof artifact signing: Apply cryptographic signatures to code submissions and related artifacts. Maintain an immutable log of build and deployment activities to preserve trust and integrity.
  • Compliance and policy enforcement: Comply with standards such as Supply chain Levels for Software Artifacts (SLSA) Level 3 and enterprise requirements. Configure approval gates, run vulnerability scans, and enforce policies so only verified, compliant artifacts move forward.

1.2. Integrated technologies

RHTAP integrates with industry-leading platforms and tools:

Component or TechnologyDescription

Red Hat Developer Hub (RHDH)

A self-service portal that streamlines development and integrates security best practices from the get-go.

Red Hat Trusted Artifact Signer (RHTAS)

Enhances software integrity through signature and attestation, ensuring all artifacts are secure and authentic.

Red Hat Trusted Profile Analyzer (RHTPA)

Automates the creation and management of SBOMs, providing transparency and compliance in your software supply chain.

Advanced Cluster Security (ACS)

Automates the scanning of artifacts for vulnerabilities.

OpenShift GitOps

Manages Kubernetes deployments and infrastructure using Git repositories, ensuring consistent, automated, and secure deployment practices.

OpenShift Pipelines

Automates the CI/CD processes with visibility and control over build, test, and deployment workflows.

Argo CD

Automates application deployment and lifecycle management, ensuring consistent versions of app definitions, configurations, and environments.

1.3. Configuration options

RHTAP allows flexibility in CI/CD management, source repositories, and artifact registries:

CategoryOptions

CI/CD pipelines

  • Tekton (Default)
  • Jenkins
  • GitHub Actions (Technology preview)
  • Gitlab CI
Note

All CI pipelines except Tekton conform to SLSA Build L2. Tekton conforms to Build L3.

Source repositories

  • GitHub (Default)
  • GitLab
  • Bitbucket cloud

Artifact registries

  • Quay (Default)
  • JFrog Artifactory

Chapter 2. Development workflow

RHTAP integrates security at every step of the DevSecOps workflow:

  • Start with secure templates: Leverage pre-built templates from Red Hat Developer Hub (RHDH) for a secure foundation. These templates include code repositories, documentation, and pre-configured CI/CD pipelines.
  • Develop and modify code: Modify your code after creating the application. Each code change triggers a pipeline run that automatically performs security checks, including artifact signing, vulnerability scanning, and SBOM generation.
  • Managed deployment: RHTAP enforces security policies throughout the development lifecycle, from development to production, using Enterprise Contracts (EC). This ensures that only compliant builds are deployed.





Revised on 2024-12-13 16:47:21 UTC

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.