Zero CVEs: The symptom of a larger problem

2026년 2월 13일James Labocki4분 읽기

There has been much discussion lately regarding the "Zero CVE" movement. At Red Hat, we welcome this focus, emphasized by our recent announcement of Project Hummingbird to provide more frequently updated container images. Hummingbird represents a shift in how customers receive Red Hat's open source artifacts: Faster without sacrificing code integrity. You can read more about Project Hummingbird here. While this project is relatively new, it's built on the years of work and lessons learned in modernizing our own internal build system.

While the industry often focuses on the result (the image), we believe the real problem lies in the process. There is a clear need for verifiable, reproducible, and security-enhanced artifacts produced by a software factory that works at global enterprise scale. That's why we're excited about the Konflux project.

The need for a security-centric software factory

Red Hat has been building and hardening open source software for security-focused enterprises for over 25 years. Since shipping Red Hat Enterprise Linux Advanced Server 2.1 in 2002, we have shipped over 80 major and minor releases of Red Hat Enterprise Linux (RHEL). The acquisition of JBoss and the rise of containers and new binaries for ecosystems, like Rust and Go, only added to the type and volume of artifacts we've had to build with stronger security footprints over the years.

Modern software supply chain attacks began happening somewhere in the 2008-2011 range (depending on how you classify attacks). While initial supply chain attacks were mostly targeted espionage (think RSA), by 2020 it was clear that we were entering a "mega breach" era where attacks like the Solar Winds breach were impacting thousands upon thousands of organizations.

In response to the rise in software supply chain attacks, Red Hat has been on a journey to modernize our internal build system. Years of building software had led to a significant amount of technical debt (something many of our customers are very familiar with), leading us to decide to start from scratch and re-imagine our build system from the ground up. The inspiration for this project, named Konflux, came from the secure software factory whitepaper by Red Hat and other vendors within the CNCF's security Technical Architecture Group (TAG).

Over the last few years, Konflux has become Red Hat's secure software factory that automates build production through a combination of open source projects including Tekton, Tekton Chains, SPIFFE/SPIRE, Conforma, Hermeto, and Project Quay. All of this runs on a foundation of Kubernetes provided by Red Hat OpenShift Container Platform. We deliver Konflux using a platform engineering approach, meaning that it's treated as a product internally and offers self-service and golden path templates to abstract away complexity from our product teams. As a result, our product teams get the following automatic benefits when building and releasing products with Konflux:

Tamper-proof SLSA provenance with details of the build process
Build-time and release-time signatures (sigstore)
A SBOM describing the contents of the build (Trustify)
A place to insert integration tests so they are automatically executed for new builds, and can gate the release process from even starting
SAST, Malware, and CVE scans
Hermetic builds (Hermeto)
Gated release of builds based on all of the above (Conforma)

With Konflux, Red Hat has built over 2 million software artifacts for our customers in 2025 alone and for multiple architectures (x86_64, PPC64, ARM, and Z). The supply chain adheres to SLSA Level 3 integrity, providing extra resistance to specific threats, such as cross-build contamination. Most recently, we were able to achieve what many believe to be one of the highest benchmarks of supply chain security by achieving fully reproducible builds. Enhancing the security of a portfolio of 2 million artifacts across four architectures with SLSA Level 3 guarantees is an engineering feat that defines the Red Hat standard in 2026.

The need for your own secure software factory

Konflux isn't just a new tool; rather, it's the culmination of 25 years of institutional knowledge. It represents our transition from being a vendor that delivers security-focused software to a partner that democratizes the ability to build it. Not only does Konflux help Red Hat more safely deliver artifacts to customers and partners, but customers can build their own secure software factory thanks to the open source nature of Konflux and the fact that it's built from a combination of open source projects from the CNCF and OpenSSF.

We don't want to be the only ones who can build security-focused software. By making Konflux open source, we're handing you the ability to build your own factory so you can achieve the same rigor for your releases.

Additionally, we ship many of the components of Konflux as features within our platforms. This means you can use Red Hat's solutions to implement your own secure software factories, and inherit Konflux's benefits. We are committed to making any work that Red Hat does to better our own build system begins in an open source community project and is available as part of our platform. For example, we recently launched the Red Hat zero trusted workload identity manager based on the SPIFFE/SPIRE project as Tech Preview in Red Hat OpenShift Platform Plus, giving customers the ability to perform workload attestation in the same way Red Hat does. We also provide support for the sigstore project with Red Hat Trusted Artifact Signer and Trustify using Red Hat Trusted Profile Analyzer.

AI and the secure software factory

The era of AI will only increase the need for organizations to implement security-forward software factories. AI generates code at unprecedented volumes. Therefore, an automated secure software factory is the only thing that can scale to generate security-enhanced artifacts and images efficiently to keep pace with that volume. As Jennifer Riggins wrote about platform engineering in The New Stack, "It is also a natural response to AI adoption demanding at least an internal developer portal, if not a full-fledged platform, laying down guardrails and sometimes gates for this new level of speed." We couldn't agree more.

The secure software factory is the guardrail for the AI-accelerated future, making sure that what exits the build pipeline is tamper-free and can be trusted. We are excited to be working with our customers, partners, and the industry to help implement secure software factories using the best of open source innovation, furthering the ability for open to unlock the world!