Red Hat Expands Red Hat Trusted Software Supply Chain for a Developer-First Experience


Red Hat, Inc., the world's leading provider of open source solutions, today announced updates to Red Hat Trusted Software Supply Chain. These solutions advance the ability for customers to embed security into the software development life cycle, increasing software integrity earlier in the supply chain while adhering to industry regulations and compliance standards.


Red Hat Trusted Software Supply Chain extends its existing open source security due diligence to help customers manage their open source and software supply chains using the same software supply chain that Red Hat uses to deliver trusted open source software.

Jim Mercer

Program Vice President, Software Development, DevOps & DevSecOps, IDC

According to industry analyst firm IDC, “By 2027, 75% of CIOs will integrate cybersecurity measures directly into systems and processes to proactively detect and neutralize vulnerabilities, fortifying against cyberthreats and breaches.”1 Organizations are beginning to integrate security protocols directly into their software processes, shifting their reactive security measures to proactive ones in order to stop security breaches before they happen.

Red Hat Trusted Software Supply Chain delivers software and services that enhance an organization's resilience to vulnerabilities, enabling them to identify and address potential issues early and mitigate them before they can be exploited. Organizations are now empowered to more efficiently code, build, deploy and monitor their software using proven platforms, trusted content and real-time security scanning and remediation.

Based on the open source Sigstore project founded at Red Hat and now part of the Open Source Security Foundation, Red Hat Trusted Artifact Signer increases the trustworthiness of software artifacts moving through the software supply chain by enabling developers and stakeholders to cryptographically sign and verify the artifacts using a keyless certificate authority. With its identity-based signing through an integration with OpenID Connect, organizations can have greater confidence in the authenticity and integrity of their software supply chain without the overhead and hassle of managing a centralized key management system.

Development and security teams also need visibility and insight into the risk profile of an application’s codebase so that security threats and vulnerabilities can be identified proactively and minimized. Red Hat Trusted Profile Analyzer simplifies vulnerability management by providing a source of truth for security documentation, including Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX). Organizations can manage and analyze the composition of software assets and documentation of custom, third party and open source software without slowing down development or increasing operational complexity.

Red Hat Trusted Application Pipeline combines the capabilities of Red Hat Trusted Profile Analyzer and Red Hat Trusted Artifact Signer, along with Red Hat’s enterprise-grade internal developer platform, Red Hat Developer Hub, to provide security-focused software supply chain capabilities that are pre-integrated into developer self-service templates. Red Hat Trusted Application Pipeline consists of a central developer hub of validated software templates and integrated guardrails that standardize and expedite onboarding of security-focused golden paths to increase trust and transparency at code-time.

Organizations can use the offering to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations. Enterprise contracts, with vulnerability scanning and policy checking directly from the CI/CD pipeline, can stop suspicious build activity from being promoted into production.

These offerings are available as self managed, on-premise capabilities and can be layered onto application platforms, such as Red Hat OpenShift, or consumed separately, offering flexibility and choice to meet developers specific needs.

Red Hat Trusted Artifact Signer and Red Hat Trusted Application Pipeline are generally available. Red Hat Trusted Profile Analyzer is available in tech preview, with general availability expected this quarter. Visit or check out the Red Hat Customer Portal to learn more.

Supporting Quotes
Sarwar Raza, vice president and general manager, Application Developer Business Unit, Red Hat
“Organizations are seeking to mitigate the risks of constantly evolving security threats in their software development - to keep and grow trust with users, customers and partners. Red Hat Trusted Software Supply Chain is designed to seamlessly bring security capabilities into every phase of the software development life cycle. From code time to runtime, these tools help increase transparency and trust and give DevSecOps teams the ability to lay the groundwork for a more secure enterprise without impacting developer velocity or cognitive load.”

Jim Mercer, program vice president, Software Development, DevOps & DevSecOps, IDC
“Red Hat has been securing open source software and the open source software supply chain for 30 years. The company has continued to enhance its open source due diligence by providing safeguards against tampering and ensuring all code is stored in internal repositories and the software the company distributes is signed to improve digital provenance. The Red Hat Trusted Software Supply Chain extends its existing open source security due diligence to help customers manage their open source and software supply chains using the same software supply chain that Red Hat uses to deliver trusted open source software.”

1IDC FutureScape: Worldwide CIO Agenda 2024 Predictions, Doc # US51294523, Oct. 2023

Additional Resources

Connect with Red Hat

  • Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

  • Except for the historical information and discussions contained herein, statements contained in this press release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the company’s current assumptions regarding future business and financial performance. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially. Any forward-looking statement in this press release speaks only as of the date on which it is made. Except as required by law, the company assumes no obligation to update or revise any forward-looking statements.


    Red Hat, the Red Hat logo and OpenShift are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries.