The following pipeline shows security features applied into a CI/CD pipelines:

• Clone code from a Git repository
• Scan application code using CodeReady Dependency Analytics (CRDA): https://github.com/fabric8-analytics/cli-tools/blob/main/docs/cli_README.md
• Store a signed image in Red Hat Quay: https://www.redhat.com/en/technologies/cloud-computing/quay
• Run code analysis with Sonarqube and run tests
• Release application binary and store it in Nexus
• Generate an SBOM file using syft: https://github.com/anchore/syft
• Build and sign a container image using Tekton Chains and Cosign: https://next.redhat.com/project/tekton-chains/
• Sign all TaskRuns using Tekton Chains
• Provide provenance attestations and store them in Rekor: https://github.com/sigstore/rekor
• Scan container images using Red Hat Advanced Security for Kubernetes (RHACS) and use results as a gate in the pipeline: https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes
• Scan OpenShift resources (deployment, etc) using RHACS (kubelinter) for best-practices, such as non-privileged users: https://github.com/stackrox/kube-linter
• Deploy application to multiple clusters using Red HAT Advanced Cluster Management for Kubernetes (RHACM) and OpenShift GitOps (based on argocd) and using Pull-Request workflow to promote application through different environments (from DEV to Staging)

• Verify images deployed to target clusters using RHACS sigstore integration

Below are some high-level highlights of the security features implemented:

The CLI tool allows to scan application code and provide feedback about used libraries and dependencies, and provides a report similar to this:

The report is generated by a Red Hat hosted service, and a sample report can be accessed here: https://recommender.api.openshift.io/api/v2/stack-report/cb61da376e2b417a85d011818b6a45df

This task uses the syft cli to generate a SBOM based on the application code. Syft can also generate an SBOM from a container image.

RHACS allow you to scan container images for security vulnerabilities and use the scan results as a gate within the pipeline to stop the execution in case of security issues. This is a sample report provided by RHACS:

The OpenShift Pipelines Operator allows you to easily add Tekton Chains in your cluster through a simple configuration, and thus sign all TaskRuns and container images that are produced within the pipeline. Here is a sample of a signed TaskRun that is adding the signed payload as an annotation to the Tekton TaskRun:

The Rekor transparency log for the previous signed TaskRun can be found here: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=2842400

There are still upcoming features such as:

• Integrating with Hashicorp Vault to store secrets in a GitOps approach and mount them in the pipeline for Git usernames/password, Registry tokens, Application workloads, without having plain values stored in the Git repository.
• Documentation of SLSA level compliance for each of the features