Recent high-profile security events have created a cause for concern through the DevSecOps community. We have witnessed a sophisticated shift in the threat landscape: attackers are no longer just targeting the applications you build. They’re targeting the very tools you use to protect them.
By compromising the service accounts and version tags of popular third-party security "actions" and scanners, threat actors have successfully turned security tools into delivery vehicles for malware. In these scenarios, the moment a continuous integration/continuous delivery (CI/CD) pipeline triggers a security scan, it inadvertently exfiltrates cloud credentials and Kubernetes tokens before a single line of code is even analyzed.
This "who secures the security?" paradox highlights a critical architectural flaw: passive observation is not protection. If your security strategy relies on external, mutable third-party scripts, your perimeter is only as strong as your vendor’s GitHub account.
The power of native enforcement
Red Hat OpenShift and Red Hat Advanced Cluster Security provide a fundamentally different approach. We move systems and workload security from an "external action" to a platform-native guardrail.
Instead of relying on an external script that can be force-pushed by an attacker, OpenShift uses Kubernetes-native admission control. This is a gate built directly into the cluster's API. Even if a compromised third-party tool attempts to inject a malicious image into your environment, the cluster can still reject it based on predefined operational policies.
Verify your software’s DNA with Red Hat Trusted Artifact Signer
The second pillar of a resilient defense is provenance, or knowing exactly who built your code and how. You cannot trust a container image based on a "version tag" alone because tags are simply pointer and can be easily hijacked.
Red Hat Trusted Software Supply Chain integrates with Trusted Artifact Signer to give your team the superpower of trust. Trusted Artifact Signer acts as a "DNA test" for your software, helping confirm that every image is cryptographically signed and bound to a verifiable identity at the moment of creation.
By moving to keyless signing, you can stop worrying about long-lived cryptographic keys that can be lost or stolen. Instead, when a pod attempts to start, Red Hat Advanced Cluster Security performs a real-time check to see that the image is signed by your internal build system and remains free of tampering. If the "DNA" doesn't match, the cluster stops the request instantly.
Runtime protection: Real-time defense, not just alerts
The biggest risk to your clusters isn’t just what you know is in your code; it’s the "living" threats that emerge once your containers are running. If a breach happens in the middle of the night, you don’t need a long list of alerts to sift through—you need the platform to act.
Red Hat Advanced Cluster Security provides a "digital hawk" for your environment through automated process discovery and baselining. Instead of you manually writing thousands of rules, the platform observes your applications to learn what "good" behavior looks like. When Red Hat Advanced Cluster Security notices an anomaly like a crypto miner or a suspicious privilege escalation, it uses its native power to:
- Spot the problems: Highlight anomalous process executions with high-fidelity detection that cuts out the noise of false positives.
- Stop the threat: Automatically instruct Kubernetes to terminate suspicious pods or scale breached applications to zero.
- Protect the core: Monitor admin events to block malicious behavior before it can spread through your infrastructure.
Moving from watching to governing
The tools we use to defend our software must be as hardened as the software itself. By integrating security capabilities into the platform layer, Red Hat OpenShift helps make sure your defense is independent of external risks and impossible for attackers to bypass.
This shifts your team’s energy away from manual system maintenance and back to delivering customer value, supported by native controls that resolve issues automatically in production.
Take control of your supply chain integrity
Don't let your security tools become your primary attack vector. Learn how to build a resilient, verifiable, and automated defense-in-depth strategy with Red Hat.
- Secure your Kubernetes workloads: Explore the native power of Red Hat Advanced Cluster Security.
- Verify your software's DNA: See how Red Hat Trusted Artifact Signer helps ensure image integrity from code to cluster.
Product trial
Red Hat Learning Subscription | Product Trial
About the author
Dan Bettinger is a tech marketing innovator who has carved a unique path through the evolving landscape of cloud computing, blockchain, and DevOps. Currently serving as Principal Product Marketing Manager for OpenShift at Red Hat, Dan's career highlights include spearheading J.P. Morgan's groundbreaking blockchain network and hosting the IBM Cloud Podcast, where he reached thousands of listeners per episode.
More like this
Red Hat's Approach to Keyboard Testing for Web Accessibility
OpenShift: Consistent integration for the hybrid enterprise
Where Coders Code | Command Line Heroes
What Kind of Coder Will You Become? | Command Line Heroes
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Virtualization
The future of enterprise virtualization for your workloads on-premise or across clouds
