Conclusion :: Trusted Software Factory Workshop

Workshop summary

Congratulations on completing the Trusted Software Factory workshop!

In this workshop, you successfully:

✓ Validated cluster prerequisites and cluster-admin access for working with TSF
✓ Set up your workstation (Podman, tsf.env, installer shell) and authenticated with oc from the container
✓ Created an application in Konflux and onboarded a component from Git
✓ Configured release settings and merged the onboarding change to run the pipeline
✓ Verified signed images with cosign and reviewed SLSA Level 3 provenance
✓ Explored SBOMs and vulnerability findings in Red Hat Trusted Profile Analyzer and inspected the release record

What you’ve built

In the labs you worked inside a pre-configured TSF environment on OpenShift Container Platform. The stack below summarizes the major layers—organized around the TechCorp Industries scenario—to show how the pieces relate:

Infrastructure layer

Cert-Manager for TLS certificates
Red Hat Build of Keycloak for authentication
Storage components for persistent data

Build and CI/CD layer

Konflux for application management
OpenShift Pipelines (Tekton) for automated builds
GitHub/GitLab integration for source control

Security layer

Red Hat Trusted Artifact Signer for cryptographic signing with Fulcio and Rekor
SLSA Level 3 provenance for build attestation
Red Hat Trusted Profile Analyzer for SBOM generation and vulnerability scanning

Distribution layer

Quay integration for signed image storage
Automated release pipelines

This architecture ensures that every container image is:

Built from verified source code
Signed with cryptographic keys
Traceable with complete provenance
Scanned for vulnerabilities
Documented with full SBOM

Key concepts recap

Konflux

Konflux is the orchestration layer that ties everything together. It provides:

Application and component management
Pipeline definitions and triggers
Release plans and strategies
Integration with source control and registries

SLSA provenance

SLSA (Supply-chain Levels for Software Artifacts) Level 3 provenance provides:

Non-falsifiable — Signed by build system, cannot be forged
Complete — Records all inputs and build steps
Isolated — Build runs in ephemeral environment

This enables you to verify exactly how an image was built, from which source, by which pipeline.

Red Hat Trusted Artifact Signer

Red Hat Trusted Artifact Signer (based on Sigstore) provides:

Fulcio — Certificate authority that issues short-lived signing certificates
Rekor — Transparency log that records all signatures
TUF — Framework for secure distribution of trust roots

Signatures are tied to your identity (via OIDC), not long-lived keys that can be compromised.

Red Hat Trusted Profile Analyzer

Red Hat Trusted Profile Analyzer generates:

SBOMs — Complete inventory of all software components
Vulnerability reports — Known CVEs affecting your images
License information — Compliance and legal review data

This enables proactive security management and rapid response to new vulnerabilities.

Common troubleshooting scenarios

All known issues and workarounds—installer and tsf deploy, Konflux pipelines, Quay, and webhooks—are documented in Appendix D: Troubleshooting.

Next steps

Deploy Trusted Software Factory on a cluster

If you need to install TSF yourself on OpenShift Container Platform, follow the workshop appendices in order:

Appendix A: Preparing to install — cluster checks, integrations (GitHub or GitLab, Quay), and tsf.env
Appendix B: Installing TSF — installer container, tsf CLI, integrations, Helm deploy
Appendix C: Verifying and accessing — validate namespaces, operators, routes, Konflux UI, and deployed components

If anything fails during install, integration, or later Konflux onboarding, see Appendix D: Troubleshooting.

Then return to Module 2: Getting started with Konflux if you want to redo the onboarding flow on your own deployment, using your own repository (or a fork of https://github.com/konflux-ci/sample-component-golang).

Expand your secure supply chain

Onboard more applications — Move your production workloads to TSF
Customize pipelines — Add custom build steps, tests, and validations
Implement policy enforcement — Use Conforma to enforce security policies
Configure multi-environment releases — Set up dev, staging, production pipelines

Advanced topics

Custom integration tests — Define application-specific validation
Multi-component applications — Build microservices architectures
Security policies — Enforce image signing, vulnerability thresholds, SBOM requirements
Deployment automation — Integrate with ArgoCD or OpenShift GitOps

Stay up to date

TSF documentation: Official TSF docs
Konflux project: Konflux documentation
Sigstore project: Sigstore community
SLSA framework: SLSA specification

Workshop feedback

We hope this workshop helped you understand secure software supply chains and how to implement them on OpenShift Container Platform with TSF.

Your feedback helps us improve! Please share:

What worked well
What could be improved
Topics you’d like to see covered
Real-world use cases you’re implementing

Resources and references

Documentation

Community and standards

Sigstore Project — Open source signing and transparency
SLSA Framework — Supply-chain security levels
CycloneDX — SBOM standard
SPDX — Software package data exchange

Source code

Thank you!

Thank you for completing the Trusted Software Factory workshop. You now have the knowledge and hands-on experience to implement secure software supply chains on OpenShift Container Platform.

Happy building — securely! 🔒