Red Hat Introduces Red Hat Trusted Software Supply Chain
Red Hat announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities. As part of this solution, two new cloud services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, are joining in preview mode the existing Red Hat software and cloud services, including Quay and Advanced Cluster Security (ACS), to advance the successful adoption of DevSecOps practices, and embed security into the software development lifecycle.
With Red Hat Trusted Software Supply Chain, customers can more quickly and efficiently code, build and monitor their software using proven platforms, trusted content, and real-time security scanning and remediation. The solution builds on Red Hat’s 30+ years of customer and industry trust, earned by consistently delivering hardened open-source solutions that make it easier for enterprises to accelerate hybrid cloud adoption while still retaining an effective IT security posture.
Red Hat Trusted Software Supply Chain
With 75% of application code bases now consisting of open-source code, these components are under greater scrutiny, especially as software supply chain attacks have soared 742% since 2020. Customers seek to integrate guardrails into their software supply chain and development life cycles to accelerate innovation without compromising security.
The software and services delivered as part of Red Hat Trusted Software Supply Chain enhance an organization’s resilience to vulnerabilities across the modern software development lifecycle. Red Hat Trusted Content builds on a foundation of security-enhanced systems software, with thousands of trusted packages in Red Hat Enterprise Linux alone and a catalog of critical application runtimes across Java, Node, and Python ecosystems. The service provides customers with enterprise-hardened trusted content and knowledge about open-source packages in customer applications.
The basis for Red Hat Trusted Application Pipeline comes from Red Hat’s foundational work in the creation, launch and maintenance of sigstore, which provides a freely-available standard for cloud-native secure signing, as well as providing critical pieces of shared security infrastructure to many upstream communities. Trusted Application Pipeline offers a security-forward Continuous Integration/Continuous Delivery (CI/CD) service that simplifies the adoption of the processes, technologies and expertise that Red Hat uses to build production software.
Bridging software innovation with source code security
Available as a service preview in the coming weeks, Red Hat Trusted Content will provide developers with real-time knowledge of known vulnerabilities and security risks within their open source software dependencies. The service will also suggest available remediations to minimize risks, helping to reduce development time and cost. Red Hat Trusted Content provides access to Red Hat-built and -curated open source software content, with provenance and attestation, using Red Hat’s internal best practices. Once an application is in production, the service proactively monitors and alerts users of known new and emerging risks in their open source dependencies, allowing for quicker remediation of emerging threats.
Red Hat Trusted Application Pipeline, available as a service preview today, helps customers enhance the security of application software supply chains with an integrated CI/CD pipeline. Applications can be more effectively built and more easily integrated into Linux containers and then deployed onto Red Hat OpenShift or other Kubernetes platforms with just a few clicks. Previously, this was frequently a highly-manual process, with hundreds of lines of automation code required for building, testing and deploying containerized applications. This manual process introduces the potential for friction and human error, adding new risk points and slowing overall velocity.
With Red Hat Trusted Application Pipeline, Red Hat customers can:
-
Import git repositories and configure container-native continuous build, test, and deployment pipelines via a cloud service in just a few steps;
-
Inspect source code and transitive dependencies;
-
Auto-generate Software Bills of Materials (SBOM) within builds; and
-
Verify and promote container images via a release criteria policy engine that helps confirm consistency with industry frameworks like Supply chain Levels for Software Artifacts (SLSA).