A tailored course, built for your situation
Direct Sign-Off Authority on SLSA Framework Decisions
Own the specification, implementation, and evolution of software supply chain integrity without escalation
Who this is for
Senior practitioner in software supply chain governance shaping framework-level decisions at scale
Who this is not for
Individuals looking for introductory overviews or team-wide compliance checklists
What you walk away with
- Finalize SLSA level definitions without escalation
- Approve attestation criteria and validation thresholds
- Control scope of SLSA implementation across CI/CD pipelines
- Own vendor integration rules for artifact signing and verification
- Document command boundaries that survive team and leadership changes
The 12 modules (with all 144 chapters)
- Understanding SLSA maturity tiers
- Aligning levels with deployment criticality
- Setting minimum build integrity standards
- Incorporating artifact signing mandates
- Mapping toolchain capabilities to SLSA
- Defining trusted build environments
- Establishing provenance metadata rules
- Setting criteria for source authenticity
- Integrating dependency verification
- Documenting level promotion paths
- Assessing organizational readiness
- Finalizing level adoption roadmap
- Classifying artifacts by risk tier
- Mandating in-toto attestations
- Setting signature validation rules
- Defining signing key custody policies
- Establishing expiration windows
- Enforcing time-bound verification
- Mapping roles to attestation rights
- Integrating policy controllers
- Validating attestation freshness
- Automating revocation checks
- Auditing attestation compliance
- Documenting attestation enforcement
- Identifying trusted build agents
- Enforcing isolated build environments
- Requiring reproducible outputs
- Validating build process provenance
- Setting container image signing rules
- Controlling base image sourcing
- Enforcing dependency pinning
- Verifying build entry points
- Auditing pipeline configuration
- Documenting pipeline attestation
- Integrating with CI/CD triggers
- Finalizing pipeline compliance gates
- Classifying dependency risk levels
- Mandating automated vulnerability scans
- Setting SBOM generation rules
- Requiring SPDX or CycloneDX format
- Validating transitive dependency chains
- Enforcing minimum patch windows
- Blocking known-malicious packages
- Integrating package reputation feeds
- Setting override approval paths
- Auditing dependency change logs
- Documenting verification compliance
- Finalizing dependency policy enforcement
- Classifying registry trust zones
- Setting artifact retention periods
- Enforcing role-based access controls
- Defining registry encryption standards
- Requiring immutable storage
- Controlling cross-repository promotion
- Validating registry backup integrity
- Auditing registry access patterns
- Integrating with CI/CD gates
- Documenting registry compliance
- Establishing disaster recovery rules
- Finalizing registry policy enforcement
- Evaluating vendor toolchain compliance
- Setting SLSA integration prerequisites
- Validating third-party signing practices
- Requiring provenance export capabilities
- Establishing vendor audit rights
- Setting SLA expectations for attestation
- Controlling API access scopes
- Enforcing security certification mandates
- Documenting integration approvals
- Auditing vendor compliance posture
- Finalizing vendor attestation standards
- Managing vendor exit processes
- Mapping SLSA rules to policy engines
- Configuring OPA or Kyverno policies
- Integrating with Kubernetes admission
- Setting policy override protocols
- Logging non-compliant deployments
- Enabling automated remediation
- Validating policy consistency
- Auditing policy decision logs
- Documenting enforcement thresholds
- Integrating with observability tools
- Setting alerting rules
- Finalizing policy lifecycle
- Identifying team-specific adaptations
- Setting minimum compliance baselines
- Creating shared implementation templates
- Establishing review escalation paths
- Documenting team exemptions
- Validating cross-team consistency
- Auditing framework drift
- Integrating with platform teams
- Enforcing central policy repositories
- Supporting team-level innovation
- Measuring adoption rates
- Finalizing governance feedback loop
- Mapping SLSA to incident playbooks
- Setting provenance validation triggers
- Requiring artifact lineage during triage
- Validating rollback artifact integrity
- Enabling rapid attestation checks
- Documenting breach response steps
- Auditing response actions
- Integrating with SOC teams
- Establishing forensic access rules
- Controlling emergency override use
- Finalizing incident attestation policy
- Reviewing post-incident compliance
- Identifying audit-relevant artifacts
- Setting evidence collection standards
- Automating SBOM aggregation
- Validating attestation completeness
- Generating reconciliation reports
- Controlling audit data access
- Enforcing data retention rules
- Auditing report generation process
- Integrating with compliance platforms
- Documenting audit response readiness
- Setting auditor access protocols
- Finalizing compliance reporting pipeline
- Establishing upgrade eligibility
- Setting backward compatibility rules
- Evaluating new SLSA features
- Incorporating team feedback
- Planning phased rollouts
- Controlling deprecation timelines
- Validating transition readiness
- Auditing change impact
- Documenting framework decisions
- Integrating with standards bodies
- Finalizing version governance
- Measuring adoption improvement
- Identifying command scope boundaries
- Defining decision ownership
- Mapping authority to roles
- Setting escalation triggers
- Documenting approval waivers
- Validating succession readiness
- Auditing decision records
- Integrating with org charts
- Enforcing documentation updates
- Controlling access to command logs
- Finalizing command playbook
- Measuring command consistency
How this maps to your situation
- When defining SLSA levels for new projects
- Before vendor integration decisions are finalized
- During audit preparation cycles
- After incident response involving supply chain elements
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per module, or 36 hours total, with flexible pacing and immediate access to all materials.
How this compares to the alternatives
Unlike generic compliance courses, this program focuses exclusively on command over SLSA framework decisions, giving you documented authority no checklist can provide.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.