A tailored course, built for your situation
Expanded Scope Over SLSA Implementation Decisions
Lead developer security initiatives with authority across toolchain governance and artefact signing.
The situation this course is for
Teams adopt SLSA unevenly, some artefacts are signed, others aren’t. Policies exist but aren’t enforced. You see the path forward, but lack formal mandate to align execution.
Who this is for
Senior IC in a developer-first organization shaping security standards without direct authority over teams.
Who this is not for
Individuals focused on general compliance rather than developer security frameworks, or those not involved in shaping SLSA adoption.
What you walk away with
- Direct ownership of SLSA policy interpretation within your domain
- Authority to approve or adjust artefact signing thresholds
- Ability to set precedence for toolchain integrations that enforce SLSA levels
- Clear audit trail of your decisions in framework adoption documentation
- Recognition as the internal reference point for SLSA implementation nuances
The 12 modules (with all 144 chapters)
- Defining SLSA level 1 artefact metadata requirements
- Identifying build platform trust for level 2
- Enforcing workspace integrity in CI environments
- Mapping provenance signing to specific jobs
- Distinguishing developer-owned vs platform-owned signing
- Validating build step boundaries
- Defining tamper-evident logs for rebuild detection
- Integrating timestamp services with build triggers
- Classifying build types: declarative vs imperative
- Setting criteria for reproducible builds
- Documenting provenance schema fields
- Aligning artefact identity with source control refs
- Embedding provenance signing in default templates
- Automating key handling in ephemeral environments
- Setting signing thresholds by artefact criticality
- Handling key rotation in automated systems
- Validating signature chains at ingestion points
- Designing fallbacks for signing failures
- Integrating OIDC with signing services
- Restricting signing to authorized pipelines
- Logging signature attempts and rejections
- Aligning signing scope with deployment zones
- Documenting chain-of-custody for audits
- Creating override paths with accountability
- Requiring signed base images for all builds
- Locking down build agents to specific repos
- Scanning for unauthorized tool downloads
- Enabling kernel-level integrity checks
- Monitoring for workspace mutations
- Validating build step inputs against source
- Blocking unapproved dependency sources
- Enforcing immutable build logs
- Setting timeouts on build sessions
- Auditing agent provisioning events
- Restricting network access during build
- Automating artifact cleanup post-build
- Linking commits to CI triggers via webhooks
- Validating branch protection rules
- Enforcing PR review requirements
- Capturing merge commit ancestry
- Hashing source trees consistently
- Including source refs in provenance
- Mapping build triggers to specific commits
- Detecting out-of-band changes
- Logging source fetch operations
- Aligning build context paths
- Storing source snapshots with metadata
- Creating traceability reports for auditors
- Defining criticality tiers for internal services
- Assessing customer-facing deployment risk
- Mapping data sensitivity to signing rigor
- Setting minimum SLSA levels by tier
- Documenting rationale for exceptions
- Creating inventory of high-risk artefacts
- Aligning third-party dependencies with tiers
- Reviewing criticality classifications quarterly
- Involving product security in tiering
- Automating tagging based on deployment targets
- Flagging misclassified artefacts in pipelines
- Reporting on coverage gaps by tier
- Validating provenance presence in PR checks
- Checking for minimum SLSA level compliance
- Blocking merges without required metadata
- Enabling preview of provenance claims
- Highlighting missing fields in PR comments
- Automating policy checks with OPA
- Caching validation results for reuse
- Reporting policy drift over time
- Creating override paths with approval
- Integrating with security review workflows
- Alerting on policy violations in comments
- Documenting gate logic for auditors
- Adopting in-toto schema v0.2 fields
- Populating builder.id consistently
- Setting artifact.id with versioned refs
- Including materials with resolved hashes
- Defining entrypoint for rebuild scripts
- Adding invocation parameters securely
- Enabling predicate type differentiation
- Validating schema conformance automatically
- Extending schema with org-specific fields
- Versioning schema changes over time
- Publishing schema guidelines internally
- Auditing schema compliance across teams
- Scanning for unsigned artefacts in registries
- Checking provenance availability in clusters
- Validating SLSA level claims against policy
- Reporting on coverage by team and service
- Tracking progress toward full signing
- Detecting configuration drift
- Generating compliance heatmaps
- Creating executive summaries
- Integrating audit results with dashboards
- Scheduling recurring compliance scans
- Documenting audit methodology
- Sharing findings with security leadership
- Defining valid reasons for exceptions
- Requiring approval for deviations
- Setting expiration dates on exceptions
- Publishing exception register internally
- Automating exception reminders
- Reporting on active exceptions
- Linking exceptions to risk assessments
- Enforcing sunset reviews
- Highlighting exception trends
- Creating playbooks for common scenarios
- Documenting lessons from exceptions
- Designing self-service exception requests
- Identifying early adopter teams
- Sharing success stories internally
- Creating adoption playbooks
- Offering office hours for teams
- Publishing best practices
- Recognizing contributor milestones
- Integrating into onboarding
- Partnering with platform teams
- Measuring adoption velocity
- Addressing feedback loops
- Scaling guidance through champions
- Maintaining roadmap transparency
- Assessing vendor SLSA readiness
- Defining minimum SLSA levels for onboarding
- Validating provenance from external sources
- Creating supplier attestation templates
- Integrating vendor artefacts into audits
- Handling mixed provenance formats
- Setting documentation expectations
- Providing vendor onboarding support
- Tracking compliance across external repos
- Reporting on third-party coverage
- Creating escalation paths for gaps
- Updating contracts with SLSA clauses
- Tracking % of artefacts with provenance
- Measuring time to full SLSA level compliance
- Monitoring policy exception rates
- Reporting on critical service coverage
- Creating public roadmap updates
- Benchmarking against peer teams
- Highlighting efficiency gains
- Sharing audit results constructively
- Documenting lessons learned
- Planning next-phase improvements
- Celebrating milestones
- Institutionalizing playbooks
How this maps to your situation
- Onboarding new services to SLSA frameworks
- Responding to auditor requests for traceability
- Leading incident reviews involving unsigned artefacts
- Scaling secure practices across growing engineering teams
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per week over 4 weeks to complete all modules and apply templates.
How this compares to the alternatives
Generic security courses focus on theory; this course gives you decision authority in SLSA governance. Unlike broad compliance trainings, every chapter maps to real-world artefacts and signing decisions you own.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.