Extend trust across the software supply chain with Red Hat trusted libraries

Modern software development runs on open source, and that’s not hyperbole. Python alone pulls in dozens—sometimes hundreds—of third‑party libraries for even the simplest applications. While public repositories have fueled innovation at incredible speed, they’ve also created a new class of risk: Opaque build pipelines, unverifiable provenance, and a growing burden on teams to chase vulnerabilities after the fact.

Today marks the tech preview of Red Hat trusted libraries, a new package index designed to bring enterprise-grade trust, transparency, and security posture to application dependencies, starting with Python.

The problem isn’t just CVEs — it’s trust

Much of the industry conversation has centered on zero CVEs. While reducing known vulnerabilities is important, it’s only a symptom of a deeper issue. Development teams often lack answers to fundamental questions:

• Where did this library come from?
• How was it built?
• Can we prove it hasn’t been tampered with?
• Can we respond quickly when upstream has a fix?

Without verifiable provenance and trusted build systems, even a dependency with no known CVEs can still represent significant risk. At Red Hat, we believe the real challenge lies in how software is built, not just what gets shipped. That belief underpins everything we do in software supply chain security, and it’s what led to trusted libraries.

What are trusted libraries?

Trusted libraries provide enterprise‑ready, verifiably built open source libraries with complete supply chain transparency. In this Tech Preview, we are delivering:

• Curated Python packages: Libraries like Numpy, Pandas,and Flask, based on popularity.
• Build‑from‑source artifacts: Produced in Red Hat’s hardened build infrastructure.
• SLSA Level 3 provenance: Including signed build attestations and SBOMs.
• Continuous monitoring and automated rebuilds with upstream patches
• Seamless pip compatibility: Using packages.redhat.com/trusted-libraries, no workflow changes are required.

Every library is built, signed, and distributed with the same rigor Red Hat applies to its enterprise platforms, so you can have greater confidence in every dependency you ship.

Built on a secure software factory

Trusted libraries are produced using Red Hat’s trusted software build factory, Konflux. This factory approach confirms that every step, from source ingestion to final distribution, is automated, auditable, and verifiable. Rather than treating code security as a post‑build activity, trusted libraries bakes trust directly into the pipeline:

1. Ingest: Continuously monitor upstream projects for changes and patches.
2. Build: Reproducible builds with SLSA Level 3 guarantees.
3. Attest: SBOMs, provenance, and build attestations.
4. Distribute: High-availability delivery through trusted registries.

The result is not just faster response to vulnerabilities, but a more trustworthy foundation for application development.

Designed for developers, platform teams, and security leaders

Trusted Libraries integrate naturally into existing workflows:

• Developers keep using familiar tools like pip, requirements.txt, and pyproject.toml
• Platform teams can enforce policies through Red Hat tooling and CI/CD integrations
• Security and compliance teams gain SBOMs and attestations aligned with emerging regulatory requirements

Trusted libraries are part of a larger, cohesive effort to enhance the security footprint of the entire software stack. Recently, Red Hat introduced Project Hummingbird, focused on delivering more frequently updated, verifiably built container images with an emphasis on reducing exposure to known vulnerabilities. While Hummingbird addresses trust at the container image layer, trusted libraries extend those same principles up the stack into application dependencies. Together, they represent a unified vision:

• Trusted application dependencies: Trusted Libraries
• Trusted base  images: Project Hummingbird
• A shared and protected build foundation: Konflux

This end-to-end approach delivers greater consistency, from the base image your application runs on to the libraries your code imports. The service is included as part of the Red Hat Advanced Developer Suite, reinforcing a secure-by-default development experience across IDEs, CI/CD pipelines, and production environments on top of Red Hat OpenShift.

Tech Preview: What to expect

The Tech Preview of trusted libraries, available in February 2026, is designed for early adopters who want to help shape the future of trusted open source dependencies and provide us feedback ahead of general availability. Over time, we plan to expand trusted libraries to additional ecosystems, such as npm and Java.

Trust shouldn’t be optional—it should be built in, so sign up to participate in the Tech Preview of trusted libraries. We look forward to working with early adopters to shape the future of trusted open source!

Learn more

• Chasing the holy grail: Why Red Hat’s Hummingbird project aims for "near zero" CVEs
• Zero CVEs: The symptom of a larger problem
• Sign up to participate in this Tech Preview