Red Hat Inc. today announced updates to its Trusted Software Supply Chain that enable organizations to shift security “left” in the software supply chain to help organizations detect vulnerabilities earlier.

Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages.

The updates today are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards.

They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project, Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain.

The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats.

The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat’s internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations.

Organizations can use the new offerings to verify pipeline compliance and provide traceability and auditability in the continuous integration and deployment or CI/CD process with an automated chain of trust that validates artifact signatures and offers provenance and attestations. Users can also use the features for enterprise contracts, with vulnerability scanning and policy checking directly from the CI/CD pipeline to stop suspicious build activity from being promoted into production.

“Organizations are seeking to mitigate the risks of constantly evolving security threats in their software development — to keep and grow trust with users, customers and partners,” said Sarwar Raza, vice president and general manager of the Application Developer Business Unit at Red Hat. “Red Hat Trusted Software Supply Chain is designed to seamlessly bring security capabilities into every phase of the software development life cycle. From code time to runtime, these tools help increase transparency and trust and give DevSecOps teams the ability to lay the groundwork for a more secure enterprise without impacting developer velocity or cognitive load.”

Trusted Artifact Signer and Trusted Application Pipeline are generally available from today. Trusted Profile Analyzer is now available in tech preview, with general availability expected to be launched before the end of June.

Photo: Leonid Mamchenkov/Flickr