Red Hat adds trio of new tools to its Trusted Software Supply Chain

Red Hat has introduced three new developer tools to its Red Hat Trusted Software Supply Chain solution in a move designed to help organizations ramp up security earlier in the supply chain.

The Red Hat Trusted Software Supply Chain platform provides software and services to help organizations tackle software supply chain threats early and strengthen their overall resilience to vulnerabilities.

The first of its three new additions – dubbed Red Hat Trusted Artifact Signer – is based on the open-source Sigstore project and aims to increase trust in software artifacts progressing through the supply chain. Available now, the tool enables developers to cryptographically sign and verify artifacts using a keyless certificate authority - without the need to manage a centralized key management system, Red Hat said.

The second, Red Hat Trusted Profile Analyzer, has been designed to simplify vulnerability management. The offering operates as a hub for security documentation such as Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX), enabling organizations to efficiently manage and analyze the composition of software assets and documentation of custom, third party, and open-source software. Trusted Profile Analyzer is also available now.

The third new offering, Red Hat Trusted Application Pipeline, bundles together the Trusted Artifact Signer and Trusted Profile Analyzer with Red Hat’s internal developer platform, Red Hat Developer Hub, to provide developer self-service templates loaded with security-focused software supply chain capabilities.

Acting as a hub for validated software templates, Red Hat said organizations can leverage the tool to verify pipeline compliance and ramp up traceability and auditability in the CI/CD process through an automated chain of trust that validates artifact signatures, as well as provides provenance and attestations. Trusted Application Pipeline is currently in tech preview, with general availability expected later this quarter.

In an announcement, Red Hat said it is releasing its new offerings as organizations are increasingly looking to proactively integrate security protocols directly into their software processes.

“Organizations are seeking to mitigate the risks of constantly evolving security threats in their software development - to keep and grow trust with users, customers and partners,” explained Sarwar Raza, vice president and general manager of Red Hat’s Application Developer Business Unit.

“Red Hat Trusted Software Supply Chain is designed to seamlessly bring security capabilities into every phase of the software development life cycle. From code time to runtime, these tools help increase transparency and trust and give DevSecOps teams the ability to lay the groundwork for a more secure enterprise without impacting developer velocity or cognitive load.”