Red Hat, Inc., the world's leading provider of open source solutions, today announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities. As part of this solution, two new cloud services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, are joining in preview mode the existing Red Hat software and cloud services, including Quay and Advanced Cluster Security (ACS), to advance the successful adoption of DevSecOps practices, and embed security into the software development lifecycle.
Supply chain security is one of the most important priorities facing enterprise IT organizations today, especially as more and more business-critical systems and applications incorporate or leverage open source artifacts.
With Red Hat Trusted Software Supply Chain, customers can more quickly and efficiently code, build and monitor their software using proven platforms, trusted content and real-time security scanning and remediation. The solution builds on Red Hat’s 30+ years of customer and industry trust, earned by consistently delivering hardened open source solutions that make it easier for enterprises to accelerate hybrid cloud adoption while still retaining an effective IT security posture.
Red Hat Trusted Software Supply Chain
With 75% of application code bases now consisting of open source code, these components are under greater scrutiny, especially as software supply chain attacks have soared 742% since 2020. Customers seek to integrate guardrails into their software supply chain and development life cycles to accelerate innovation without compromising security.
The software and services delivered as part of Red Hat Trusted Software Supply Chain enhance an organization’s resilience to vulnerabilities across the modern software development lifecycle. Red Hat Trusted Content builds on a foundation of security-enhanced systems software, with thousands of trusted packages in Red Hat Enterprise Linux alone and a catalog of critical application runtimes across Java, Node, and Python ecosystems. The service provides customers with enterprise-hardened trusted content and knowledge about the open-source packages in customer applications.
The basis for Red Hat Trusted Application Pipeline comes from Red Hat’s foundational work in the creation, launch and maintenance of sigstore, which provides a freely-available standard for cloud-native secure signing, as well as providing critical pieces of shared security infrastructure to many upstream communities. Trusted Application Pipeline offers a security-forward Continuous Integration/Continuous Delivery (CI/CD) service that simplifies the adoption of the processes, technologies and expertise that Red Hat uses to build production software.
Bridging software innovation with source code security
Available as a service preview in the coming weeks, Red Hat Trusted Content will provide developers with real-time knowledge of known vulnerabilities and security risks within their open source software dependencies. The service will also suggest available remediations to minimize risks, helping to reduce development time and cost. Red Hat Trusted Content provides access to Red Hat-built and -curated open source software content, with provenance and attestation, using Red Hat's internal best practices. Once an application is in production, the service proactively monitors and alerts users of known new and emerging risks in their open source dependencies, allowing for quicker remediation of emerging threats.
Red Hat Trusted Application Pipeline, available as a service preview today, helps customers enhance the security of application software supply chains with an integrated CI/CD pipeline. Applications can be more effectively built and more easily integrated into Linux containers and then deployed onto Red Hat OpenShift or other Kubernetes platforms with just a few clicks. Previously, this was frequently a highly-manual process, with hundreds of lines of automation code required for building, testing and deploying containerized applications. This manual process introduces the potential for friction and human error, adding new risk points and slowing overall velocity.
With Red Hat Trusted Application Pipeline, Red Hat customers can:
- Import git repositories and configure container-native continuous build, test, and deployment pipelines via a cloud service in just a few steps;
- Inspect source code and transitive dependencies;
- Auto-generate Software Bills of Materials (SBOM) within builds; and
- Verify and promote container images via a release criteria policy engine that helps confirm consistency with industry frameworks like Supply chain Levels for Software Artifacts (SLSA).
To learn more about Red Hat Trusted Software Supply Chain and associated cloud services or to sign up for the service preview, visit red.ht/trusted.
Sarwar Raza, vice president and general manager, Cloud Services, Red Hat
“IT organizations can no longer be concerned solely with creating production applications. They also need to enhance the security of the components that actually make up the final product. Verifying the provenance of open source components, along with continually scanning both the code moving through delivery pipelines and the delivery pipelines themselves, along with enforcing robust development and delivery practices, can be a significant challenge for CIOs. Red Hat Trusted Software Supply Chain is designed to remedy these needs by codifying Red Hat’s decades of experience in open source software supply chains into easily-integrated and easily-consumed services, helping to not only build trust around production applications but also bring them to market more quickly.”
Al Gillen, group vice president, Development and Open Source, IDC
“Supply chain security is one of the most important priorities facing enterprise IT organizations today, especially as more and more business-critical systems and applications incorporate or leverage open source artifacts. Red Hat Trusted Software Supply Chain Security builds on top of Red Hat’s longstanding internal supply chain pipelines and processes, and is a major step forward for the industry when it comes to building secure modern applications. Equally important, this product opens up Red Hat’s solution set to the developer community beyond the existing Red Hat ecosystem, meaning every modern application developer – not just RHEL developers – can benefit from this solution.”
Red Hat Summit
To watch the Red Hat Summit keynotes virtually, tune in at the following times. The livestream will be available on Red Hat's Twitter, LinkedIn, and YouTube accounts. Choose your viewing preference and hear the latest from Red Hat executives, customers, and partners.
- May 23 at 9 a.m. ET Innovation doesn’t rely on your IT budget
- May 23 at 1 p.m. ET The automation moment — and beyond
- May 24 at 9 a.m. ET Optimize to innovate at scale
Catch up on select event highlights and explore a collection of additional new online sessions for free on the Red Hat Summit virtual content hub.
- Read a technical blog post about Red Hat Trusted Application Pipeline and Red Hat Trusted Content
- Learn more about Red Hat Trusted Software Supply Chain
- Learn more about Red Hat Summit
- Visit the Red Hat Summit 2023 newsroom
- For event-specific updates, follow @RedHatSummit or #RHSummit on Twitter
- For the latest news and announcements, follow Red Hat on Twitter and LinkedIn
- ABOUT RED HAT
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies. Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
- FORWARD-LOOKING STATEMENTS
Except for the historical information and discussions contained herein, statements contained in this press release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the company’s current assumptions regarding future business and financial performance. These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially. Any forward-looking statement in this press release speaks only as of the date on which it is made. Except as required by law, the company assumes no obligation to update or revise any forward-looking statements.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo and OpenShift are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.