Skip to main content
Image coming soon

Expanded Scope Over SLSA Implementation Decisions

$199.00
Adding to cart… The item has been added

A tailored course, built for your situation

Expanded Scope Over SLSA Implementation Decisions

Lead developer security initiatives with authority across toolchain governance and artefact signing.

$199 one-time
24-hour access provisioning 30-day money-back guarantee Hand-built implementation playbook
12 modules. 12 chapters per module. 144 chapters total.
12 modules, each with 12 chapters (144 chapters total), text-based, plus downloadable templates and a hand-built implementation playbook delivered alongside course access.
Being technically ready but organizationally stalled when influencing secure software delivery standards.

The situation this course is for

Teams adopt SLSA unevenly, some artefacts are signed, others aren’t. Policies exist but aren’t enforced. You see the path forward, but lack formal mandate to align execution.

Who this is for

Senior IC in a developer-first organization shaping security standards without direct authority over teams.

Who this is not for

Individuals focused on general compliance rather than developer security frameworks, or those not involved in shaping SLSA adoption.

What you walk away with

  • Direct ownership of SLSA policy interpretation within your domain
  • Authority to approve or adjust artefact signing thresholds
  • Ability to set precedence for toolchain integrations that enforce SLSA levels
  • Clear audit trail of your decisions in framework adoption documentation
  • Recognition as the internal reference point for SLSA implementation nuances

The 12 modules (with all 144 chapters)

Module 1. Mapping SLSA Levels to Build Pipeline Artifacts
Understand how each SLSA level translates to concrete build constraints and logging requirements in practice.
12 chapters in this module
  1. Defining SLSA level 1 artefact metadata requirements
  2. Identifying build platform trust for level 2
  3. Enforcing workspace integrity in CI environments
  4. Mapping provenance signing to specific jobs
  5. Distinguishing developer-owned vs platform-owned signing
  6. Validating build step boundaries
  7. Defining tamper-evident logs for rebuild detection
  8. Integrating timestamp services with build triggers
  9. Classifying build types: declarative vs imperative
  10. Setting criteria for reproducible builds
  11. Documenting provenance schema fields
  12. Aligning artefact identity with source control refs
Module 2. Designing Signed Provenance Collection Workflows
Create reliable, repeatable processes for collecting signed provenance without breaking developer flow.
12 chapters in this module
  1. Embedding provenance signing in default templates
  2. Automating key handling in ephemeral environments
  3. Setting signing thresholds by artefact criticality
  4. Handling key rotation in automated systems
  5. Validating signature chains at ingestion points
  6. Designing fallbacks for signing failures
  7. Integrating OIDC with signing services
  8. Restricting signing to authorized pipelines
  9. Logging signature attempts and rejections
  10. Aligning signing scope with deployment zones
  11. Documenting chain-of-custody for audits
  12. Creating override paths with accountability
Module 3. Enforcing Build Integrity Through Toolchain Controls
Implement platform-level controls that guarantee build environments meet SLSA integrity bar.
12 chapters in this module
  1. Requiring signed base images for all builds
  2. Locking down build agents to specific repos
  3. Scanning for unauthorized tool downloads
  4. Enabling kernel-level integrity checks
  5. Monitoring for workspace mutations
  6. Validating build step inputs against source
  7. Blocking unapproved dependency sources
  8. Enforcing immutable build logs
  9. Setting timeouts on build sessions
  10. Auditing agent provisioning events
  11. Restricting network access during build
  12. Automating artifact cleanup post-build
Module 4. Establishing Source-to-Artefact Traceability
Ensure every released component can be traced from source commit to final image.
12 chapters in this module
  1. Linking commits to CI triggers via webhooks
  2. Validating branch protection rules
  3. Enforcing PR review requirements
  4. Capturing merge commit ancestry
  5. Hashing source trees consistently
  6. Including source refs in provenance
  7. Mapping build triggers to specific commits
  8. Detecting out-of-band changes
  9. Logging source fetch operations
  10. Aligning build context paths
  11. Storing source snapshots with metadata
  12. Creating traceability reports for auditors
Module 5. Classifying Artefacts by Criticality and Risk
Apply SLSA requirements proportionally based on system impact and exposure.
12 chapters in this module
  1. Defining criticality tiers for internal services
  2. Assessing customer-facing deployment risk
  3. Mapping data sensitivity to signing rigor
  4. Setting minimum SLSA levels by tier
  5. Documenting rationale for exceptions
  6. Creating inventory of high-risk artefacts
  7. Aligning third-party dependencies with tiers
  8. Reviewing criticality classifications quarterly
  9. Involving product security in tiering
  10. Automating tagging based on deployment targets
  11. Flagging misclassified artefacts in pipelines
  12. Reporting on coverage gaps by tier
Module 6. Integrating SLSA Checks into Pull Request Gates
Shift left by enforcing SLSA compliance before merge.
12 chapters in this module
  1. Validating provenance presence in PR checks
  2. Checking for minimum SLSA level compliance
  3. Blocking merges without required metadata
  4. Enabling preview of provenance claims
  5. Highlighting missing fields in PR comments
  6. Automating policy checks with OPA
  7. Caching validation results for reuse
  8. Reporting policy drift over time
  9. Creating override paths with approval
  10. Integrating with security review workflows
  11. Alerting on policy violations in comments
  12. Documenting gate logic for auditors
Module 7. Standardizing Provenance Schema Implementation
Drive consistency in provenance data across teams and systems.
12 chapters in this module
  1. Adopting in-toto schema v0.2 fields
  2. Populating builder.id consistently
  3. Setting artifact.id with versioned refs
  4. Including materials with resolved hashes
  5. Defining entrypoint for rebuild scripts
  6. Adding invocation parameters securely
  7. Enabling predicate type differentiation
  8. Validating schema conformance automatically
  9. Extending schema with org-specific fields
  10. Versioning schema changes over time
  11. Publishing schema guidelines internally
  12. Auditing schema compliance across teams
Module 8. Auditing SLSA Compliance Across Deployment Pipelines
Verify adherence to SLSA standards across systems and time.
12 chapters in this module
  1. Scanning for unsigned artefacts in registries
  2. Checking provenance availability in clusters
  3. Validating SLSA level claims against policy
  4. Reporting on coverage by team and service
  5. Tracking progress toward full signing
  6. Detecting configuration drift
  7. Generating compliance heatmaps
  8. Creating executive summaries
  9. Integrating audit results with dashboards
  10. Scheduling recurring compliance scans
  11. Documenting audit methodology
  12. Sharing findings with security leadership
Module 9. Managing Exceptions and Policy Deviations
Handle edge cases without compromising long-term goals.
12 chapters in this module
  1. Defining valid reasons for exceptions
  2. Requiring approval for deviations
  3. Setting expiration dates on exceptions
  4. Publishing exception register internally
  5. Automating exception reminders
  6. Reporting on active exceptions
  7. Linking exceptions to risk assessments
  8. Enforcing sunset reviews
  9. Highlighting exception trends
  10. Creating playbooks for common scenarios
  11. Documenting lessons from exceptions
  12. Designing self-service exception requests
Module 10. Driving Adoption Through Change Leadership
Lead cultural shift in developer practices without formal authority.
12 chapters in this module
  1. Identifying early adopter teams
  2. Sharing success stories internally
  3. Creating adoption playbooks
  4. Offering office hours for teams
  5. Publishing best practices
  6. Recognizing contributor milestones
  7. Integrating into onboarding
  8. Partnering with platform teams
  9. Measuring adoption velocity
  10. Addressing feedback loops
  11. Scaling guidance through champions
  12. Maintaining roadmap transparency
Module 11. Aligning SLSA with Third-Party Vendor Requirements
Extend your standards to external partners and suppliers.
12 chapters in this module
  1. Assessing vendor SLSA readiness
  2. Defining minimum SLSA levels for onboarding
  3. Validating provenance from external sources
  4. Creating supplier attestation templates
  5. Integrating vendor artefacts into audits
  6. Handling mixed provenance formats
  7. Setting documentation expectations
  8. Providing vendor onboarding support
  9. Tracking compliance across external repos
  10. Reporting on third-party coverage
  11. Creating escalation paths for gaps
  12. Updating contracts with SLSA clauses
Module 12. Sustaining Momentum Through Metrics and Reporting
Demonstrate progress and secure ongoing investment.
12 chapters in this module
  1. Tracking % of artefacts with provenance
  2. Measuring time to full SLSA level compliance
  3. Monitoring policy exception rates
  4. Reporting on critical service coverage
  5. Creating public roadmap updates
  6. Benchmarking against peer teams
  7. Highlighting efficiency gains
  8. Sharing audit results constructively
  9. Documenting lessons learned
  10. Planning next-phase improvements
  11. Celebrating milestones
  12. Institutionalizing playbooks

How this maps to your situation

  • Onboarding new services to SLSA frameworks
  • Responding to auditor requests for traceability
  • Leading incident reviews involving unsigned artefacts
  • Scaling secure practices across growing engineering teams

Before vs. after

Before
Decisions on SLSA implementation are made ad hoc or deferred to others, even when you have the deepest context.
After
You set the precedent on SLSA enforcement thresholds and policy scope, others come to you for direction.

What's included with your purchase

  • 12 modules with 12 chapters each (144 chapters)
  • Downloadable templates and worked examples for every module
  • Hand-built implementation playbook delivered alongside course access
  • 30-day money-back guarantee

Delivery and format

  • Course and learning environment access provisioned within 24 hours of purchase
  • Hand-built implementation playbook delivered alongside course access

Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.

Time investment: Approximately 3 hours per week over 4 weeks to complete all modules and apply templates.

If nothing changes
Without clarity from experienced practitioners, SLSA adoption remains fragmented, leading to inconsistent audit outcomes and reliance on last-minute fixes.

How this compares to the alternatives

Generic security courses focus on theory; this course gives you decision authority in SLSA governance. Unlike broad compliance trainings, every chapter maps to real-world artefacts and signing decisions you own.

Frequently asked

Who is this course designed for?
Senior individual contributors shaping software supply chain security in engineering organizations.
How is the course structured?
12 modules, each containing 12 chapters (144 chapters total).
Does this course cover other frameworks like SBOM or NIST SSDF?
The focus is SLSA, but integration points with SBOM generation and NIST SSDF alignment are covered in context.
$199 one-time. Approximately 3 hours per week over 4 weeks to complete all modules and apply templates..

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

30-day money-back guarantee· 144 chapters· Hand-built playbook included· Account access within 24 hours