A tailored course, built for your situation
Mastering SLSA for Software Integrity Engineers
Build verifiable, production-grade software supply chain safeguards with precision and speed
The situation this course is for
Teams know SLSA is critical, but struggle to translate its controls into deployable, auditable configurations. The documentation is broad, the tooling fragmented, and the path from 'compliant in concept' to 'verified in production' is rarely linear. Without a clear playbook, even strong engineers waste days reconciling specs with CI/CD requirements, reworking attestations, or revalidating build steps, time that should be spent shipping securely.
Who this is for
Software integrity engineers, platform security leads, and DevSecOps practitioners in cloud-first organizations who need to implement SLSA Level 3+ controls with speed and precision.
Who this is not for
Engineers focused only on runtime security or network perimeter controls, or those without direct responsibility for build pipeline integrity or software attestation.
What you walk away with
- Produce signed, verifiable SLSA attestations in under 48 hours
- Confidently map SLSA controls to CI/CD pipeline stages
- Deploy hardened, repeatable build environments aligned with SLSA Provenance
- Reduce review cycles for compliance sign-off by 60%
- Own end-to-end implementation from framework to production artifact
The 12 modules (with all 144 chapters)
- What SLSA solves that other frameworks don’t
- Breakdown of SLSA Level 1 vs Level 3 requirements
- Key roles in SLSA implementation
- Trusted artifacts vs trusted builds
- How SLSA integrates with software supply chain layers
- Common misconceptions about attestation
- Mapping SLSA to development lifecycle phases
- The role of determinism in build environments
- Understanding provenance in practice
- SLSA and zero-trust software delivery
- How regulators view SLSA compliance
- Common pitfalls in early adoption
- Isolating build contexts
- Immutable container images
- Minimal base images for attestations
- Network lockdown during build
- Access control for build agents
- Time-bound build credentials
- Disabling interactive shells
- Enforcing non-root execution
- Binary provenance verification
- Build graph integrity checks
- Securing dependency ingestion
- Validating build entrypoints
- Signing with Keyless PKI
- Identity binding to attestations
- Using Fulcio and TUF
- Generating SLSA provenance
- Signing artifacts with Cosign
- Timestamping with Rekor
- Automating attestation in CI
- Validation pipeline triggers
- Attestation schema structure
- Provenance metadata fields
- Signing across multiple stages
- Re-signing on rebuild
- Parsing provenance files
- Validating signature chains
- Checking build environment integrity
- Verifying source repository links
- Enforcing level-specific controls
- Policy engine configuration
- Using Kyverno or OPA
- Integration with admission controllers
- Fail-fast on invalid attestations
- Audit trail for validation events
- Handling legacy component exceptions
- Automated remediation paths
- Pipeline-as-code design
- Triggering attestation builds
- Parallel validation stages
- Caching with integrity
- Environment promotion gates
- Dependency pinning
- Build reproducibility checks
- Logging for compliance
- Monitoring attestation status
- Failover for signing services
- Scaling attestations across repos
- Managing secrets in CI
- SLSA vs NIST SSDF mapping
- Crosswalk to ISO 27001 A.14 controls
- SOC 2 Trust Service Criteria alignment
- Mapping to CISA SSDF priorities
- GDPR data integrity implications
- Linking to SBOM generation
- Attestation as audit evidence
- Documenting control coverage
- Internal audit package assembly
- Third-party review preparation
- Evidence retention policies
- Automating compliance reporting
- Deterministic file ordering
- Time normalization in builds
- User and group ID handling
- Locale and timezone settings
- Compiler flag consistency
- Dependency resolution ordering
- Random seed control
- Build path normalization
- Hashing strategies
- Comparing outputs across platforms
- Detecting non-reproducible steps
- Fixing common reproducibility breaks
- Keyless vs key-based signing
- Integrating with OIDC providers
- Identity federation setup
- Workload identity configuration
- Setting up signing authorities
- Certificate chain validation
- Short-lived key rotation
- Signing request rate limits
- High availability for signers
- Monitoring signing throughput
- Alerting on signing failures
- Audit logging for signer access
- Level 3 build environment criteria
- Build platform isolation
- Authenticated entrypoints
- Controlled dependency ingestion
- Hardened CI runners
- Build graph completeness
- Provenance completeness
- Signing policy enforcement
- Automated rebuild capability
- Verifiable rebuild triggers
- Immutable logs for builds
- Third-party auditor access setup
- Attestation storage strategy
- Versioned policy documents
- Control implementation logs
- Audit trail completeness
- Reviewer access provisioning
- Automated evidence collection
- Gap assessment templates
- Remediation tracking workflow
- Cross-team validation
- Leadership reporting pack
- External auditor handoff
- Continuous verification cycle
- Template-driven setup
- Centralized signing service
- Policy-as-code deployment
- Automated onboarding flow
- Role-based access to attestations
- Cross-repo dependency tracking
- Standardized metadata schema
- Shared build environments
- Monitoring compliance drift
- Reporting across units
- Automated non-compliance alerts
- Versioning framework updates
- Change control for build pipelines
- Attestation versioning
- Handling deprecated tooling
- Team onboarding for SLSA
- Incident response with attestations
- Disaster recovery planning
- Backup of signing keys
- Rotation of identity providers
- Updating policy documents
- External audit readiness
- Continuous control monitoring
- Year-over-year compliance tracking
How this maps to your situation
- When starting a new SLSA implementation
- During compliance audit prep
- Before platform-wide rollout
- After security incident review
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 18 hours of focused work, designed to be completed in parallel with active implementation cycles.
How this compares to the alternatives
Unlike generic SLSA overviews or vendor-specific tutorials, this course delivers a complete, role-specific implementation system, combining framework mastery, CI/CD integration patterns, and verifiable artefact generation tailored to software integrity engineers.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.