What Is Project Lightwell?
Project Lightwell is Red Hatβs new initiative to create a unified trust layer for open-source software packages. Announced at Red Hat Summit 2026, it addresses one of the most critical challenges in enterprise software: how do you know the code youβre running is what you think it is?
The project tackles the growing threat of supply chain attacks β where malicious actors compromise upstream dependencies, build pipelines, or package registries to inject vulnerabilities into otherwise trusted software.
The Problem: Trust at Scale
Modern applications depend on hundreds or thousands of open-source packages. Each package has its own:
- Build pipeline (potentially compromised)
- Maintainer chain (potentially social-engineered)
- Distribution channel (potentially tampered)
- Dependency tree (potentially vulnerable)
The 2020 SolarWinds attack, 2021 Log4Shell vulnerability, and 2024 XZ Utils backdoor demonstrated that supply chain attacks are not theoretical β theyβre inevitable without systematic trust verification.
How Lightwell Works
Project Lightwell provides three core capabilities:
1. Cryptographic Provenance
Every package tracked by Lightwell receives a cryptographic attestation chain:
# Example Lightwell attestation
apiVersion: lightwell.redhat.com/v1
kind: PackageAttestation
metadata:
name: httpd-2.4.62
spec:
source:
repository: https://github.com/apache/httpd
commit: a1b2c3d4e5f6
build:
builder: tekton-chains
reproducible: true
signature: sigstore/cosign
provenance:
slsa-level: 3
timestamp: "2026-05-15T10:30:00Z"2. SBOM Tracking
Lightwell generates and maintains Software Bills of Materials (SBOMs) for every package in the ecosystem:
- CycloneDX and SPDX format support
- Transitive dependency resolution
- License compliance verification
- Known-vulnerability cross-referencing (CVE, GHSA, OSV)
3. Continuous Vulnerability Management
Rather than point-in-time scans, Lightwell provides continuous monitoring:
- Real-time CVE correlation against running package inventories
- Automated risk scoring based on deployment context
- Integration with Red Hatβs existing security advisory pipeline (RHSA/RHBA/RHEA)
- Policy-as-code enforcement via Open Policy Agent (OPA) and Kyverno
Integration with Existing Ecosystems
Lightwell is designed to work with:
- Sigstore β cryptographic signing and verification
- SLSA (Supply-chain Levels for Software Artifacts) β build provenance framework
- in-toto β software supply chain integrity
- Tekton Chains β Kubernetes-native build attestation
- Red Hat Trusted Profile Analyzer (formerly TPA) β vulnerability analysis
Why This Matters for Enterprise
For regulated industries (finance, healthcare, government), proving software provenance isnβt optional β itβs a compliance requirement. The EU Cyber Resilience Act (CRA), US Executive Order 14028, and NIST SSDF all mandate supply chain transparency.
Project Lightwell gives enterprises:
- Audit-ready provenance β prove where every byte came from
- Automated compliance β CRA/EO14028/NIST checks as CI/CD gates
- Blast radius reduction β instant identification of affected systems when a vulnerability drops
- Zero-trust packaging β verify before deploy, always
Open Source Foundation
True to Red Hatβs model, Project Lightwell is being developed as an open-source community project. This means:
- Transparent security model (no security through obscurity)
- Community-driven package attestation
- Vendor-neutral trust framework
- Integration with any CI/CD pipeline, not just Red Hatβs
Getting Started
Project Lightwell is currently in early access. Organizations interested in participating can:
- Join the upstream community on GitHub
- Integrate with existing Sigstore/SLSA workflows
- Deploy alongside Red Hat Trusted Profile Analyzer
- Contribute package attestations for upstream projects
