 Here's a short demonstration of the Red Hat Trusted Application Pipeline. It all starts with Red Hat Developer Hub. This is the place where developers go to work every day and find the resources that they need. One of the key resources here are the golden path templates, so software templates that allow them to basically start their journey, in this case, on a secure software supply chain. Here you can see I already have a bunch of put templates out of the box representing different programming languages and different programming frameworks. I have two that I starred that I particularly like. I'm going to choose one right now and walk through the wizard so we can see what it means to basically build out a new application that incorporates secure software supply chain practices. Let me go and give it a name. I'll call this the Trader App, just to give it a nice name. This is just a little application, so I, as a developer, who maybe just started with this company for the first time today, can experience the end-to-end software development lifecycle that this company has as their corporate standards. I'm going to come in here and pick all my different options within the wizard I'm going to hit Create. And now everything as a developer, everything I need is being resourced and provisioned for me in the background, primarily using Argo CD to actually put the different dev stage and prod environments out there, as well as configure everything, including a source code repository. And as a developer, that's the first place I want to go. I want to go open up the source code here and see what the template provided. I want to copy that URL. I'm going to come down here to my local project directory. I'm going to get cloned it, because that's what a developer likes to do. I'm going to CD into that area. I'm going to bring up my Visual Studio Code, because that's my favorite IDE here on my laptop. I could have used VI or Emacs or something else I can tell J. I'm going to even use the Quarkus Live Dev Mode, because I like working with that as an example. But I'm just going to make some basic changes, because what I really want to do is see the end-to-end live demonstration, right? I want to understand how this corporation and all those customizable templates incorporate secure software supply chain capability. I'm going to update the documentation, because with a backstage-based architecture, you practice documents as code, or documentation as code. I'm going to come in here and maybe update the Java as well. Let me add in another endpoint. Let me copy that correctly, just to have another endpoint so we can see that the Java logic has been updated. I'm going to call this Goodbye, and we're going to say Bye, and we're going to get a different path. We have a different path here to make sure everything looks nice and clean. Let's put that there, and let's put this here. We just have two different endpoints that we can interact with. I can come over here and use the Live Dev Mode and interact with that right now, so curl localhost, 8080, Goodbye. Again, I'm just interacting with that application. Codebase, let me go also in here and update the HTML, just to give it something different here. This is my trader app, just to give it a name. You can see also in our openAPI.yaml has been updated. In any case, as a developer, I've done my work. I've updated my codebase, and I'm going to get commit and get push, because I want to basically put this back in. I'm just going to be updated to my specifications. I'm going to commit here and sync. That's to get push. It will ask me to log in. The good news is, as a new employee, I was given my password. Let me go get that real quick. I have my password now. Let me put that in and get commit, get push. I set my code into the system. Let's go see what that looks like. Back to my portal now. Let me click back over here and go look at that component in the catalog. When you use the Goldenpath template, you use the template system as a whole. It's going to go ahead and put out there everything I need, including a component into the system catalog, and I can go look at the CI tab and see that I already have a job running. So this pipeline right here does represent a number of best practices that incorporate securing the software supply chain. Obviously, I get clone, I'm making package. We've got to scan our sources. You can use different tools and this is all fully customizable. But the key one here is to build and sign the image. This one right here takes advantage of Tecton and Tecton chains, and it signs the image as it goes through the build pipeline, including putting the appropriate attestation as well as an S-bomb, a software build materials on that image. Let me hop over and show you one is already completed so we don't have to wait for this one. And let me go over here to my spring application. I could have used C-sharp, I could have used something else, but here's my spring application and you can see this pipeline has been completed. It has also done all the appropriate ACS checks that's advanced cluster security. You can see our vulnerabilities have been nicely exposed right here in a dashboard like way. I can also drill down and see a nice little dashboard for things like CVE scanning, again coming from that advanced cluster security where it has shifted left using ROC CTL. Also policy checks here where I can look at specific items within that policy violation. In this case, I have a spring for shell problem that's a critical vulnerability and we have a policy against it as an example, but we might also have like a package manager in here, a debut get, a curl, a number of different policies could be exposed to basically stop and break that build if we'd like to. Also deployment checks like having appropriate limits set within the deployment yaml as an example. So all this ACS scanning occurs right here within the pipeline and the policy setup is back here on the ACS main application. So your security folks would get involved, they would configure and use this dashboard, including configuring all the policies associated you saw there, those build time to policies. All right, we're gonna verify those at build time. That's what's got to what's happened here. The next phase of this is when we actually promote that application and so we not only built that container image, produce the S-bomb and of course, given to the attestation and the signature which by the way you can see right here when I look at my image registry, you can see there's the container image, there's the attestation, the signature and the S-bomb that software build materials. But if I come back now, we also have the ability to during promotion validate all those items one more time using a technology called the enterprise contract. And what this tool does is look at that attestation and that signature and applies a series of rules against that attestation, validating that this salsa compliant for supply chain levels, for software artifacts. You can see here it's specifically going out there looking at salsa build level three. But this is the tool that helps you validate that the developer did not break their build, maybe in an accidental way or even a malicious way. This tool helps you validate things before that image gets published production. And of course, we will protect you at code time, build time as you see here and run time. And that is my quick demonstration of the Red Hat Trusted Application Pipeline.