Skip to main content
Image coming soon

Software Supply Chain Compliance for Platform Engineers

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Software Supply Chain Compliance for Platform Engineers

Build the SBOM pipeline, SLSA attestations, and artifact-signing controls that enterprise procurement teams now require before they ship.

Enterprise customers are adding a new line to their vendor security reviews: signed artifacts, software bill of materials, and SLSA level documentation. The tooling exists. The implementation path from a working CI/CD pipeline to a compliant attestation record does not come pre-assembled.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Platform engineers at code hosting and developer tooling companies sit at an unusual intersection: they build the infrastructure other engineers use to ship software, and they are now responsible for proving that infrastructure is itself supply-chain compliant. The EU Cyber Resilience Act, the US Executive Order on software security, and a wave of enterprise security questionnaires have converged on the same checklist: SBOM in a machine-readable format, artifact signatures verifiable via Sigstore or similar, SLSA level documentation per build environment, and OpenSSF Scorecard baselines above a minimum threshold. None of those standards prescribes exactly how to implement across a heterogeneous build estate. The gap between reading the SLSA framework and producing a signed SLSA provenance record in a GitHub Actions workflow is where teams stall. The gap between generating a CycloneDX SBOM and maintaining it across 400 repositories is where the promise of compliance diverges from the operational reality.

What you walk away with

  • Generate and maintain CycloneDX and SPDX SBOMs across a multi-repository build estate with a single pipeline pattern.
  • Integrate Sigstore cosign signing into GitHub Actions release workflows so every published artifact carries a verifiable signature.
  • Document SLSA level attainment for each build tier and produce the provenance records procurement teams ask for.
  • Implement in-toto attestation layouts for critical release pipelines without requiring every team to manage their own policy files.
  • Produce an OpenSSF Scorecard baseline report and a remediation backlog prioritised by customer-facing impact.
  • Deliver a one-page compliance summary that answers enterprise security questionnaires without sharing full pipeline architecture.

The 12 modules

Module 1. Why Procurement Changed: The Regulatory Trigger Stack
Maps the specific mandates now landing in enterprise vendor reviews: the US Executive Order Section 4(e) SBOM requirements, the EU Cyber Resilience Act Article 13 compliance timeline, and the CISA secure software development framework. Explains which obligations apply to software that ships to regulated industries versus general commercial buyers. Produces a one-page regulatory trigger matrix the team can use to scope which pipelines need attestation first.
Module 2. SBOM Formats: CycloneDX vs SPDX Decision
Works through the format choice in detail: CycloneDX 1.4 and 1.5 versus SPDX 2.3, what each format expresses that the other does not, which procurement teams and government buyers ask for which format by name, and how to generate both from the same pipeline without duplicating tooling. Includes a worked example using Syft and cdxgen against a Node.js and a Go module, with the output compared side by side.
Module 3. SBOM at Scale: Multi-Repository Pipeline Architecture
Addresses the specific challenge of maintaining SBOM accuracy across a large repository estate. Covers generation-at-build versus generation-at-release tradeoffs, how to handle monorepos and polyrepos differently, where SBOM files should be stored and how they should be versioned, and how to surface a unified SBOM inventory without requiring every team to manage their own toolchain. Includes a GitHub Actions reusable workflow template that teams can adopt without modifying their existing release steps.
Module 4. Artifact Signing with Sigstore and Cosign
Step-by-step integration of cosign into a GitHub Actions release workflow using keyless signing via GitHub OIDC. Covers what the transparency log entry proves, how a downstream consumer verifies the signature, what happens when a signing event fails mid-release, and how to handle container image signing separately from binary signing. Works through the exact cosign commands and policy files needed to make verification automated rather than manual.
Module 5. SLSA Framework: Attaining and Documenting Each Level
Translates SLSA levels 1 through 3 into concrete build environment requirements: what source integrity controls satisfy level 2, what build isolation and hermetic build requirements look like in practice, and where GitHub-hosted runners sit versus self-hosted runners in the SLSA attainment map. Produces a per-pipeline SLSA level declaration document and the provenance record format that satisfies level 2 and level 3 requirements for auditors who have not read the full SLSA spec.
Module 6. In-Toto Attestation Layouts for Release Pipelines
Covers the in-toto framework for supply chain security policy: how to define a layout that specifies exactly which steps must run and in what order for a valid release, how to attach step attestations from GitHub Actions using the attestations API, and how to produce a final product verification record without requiring every engineering team to maintain their own layout file. Includes a worked layout for a standard containerised application release.
Module 7. OpenSSF Scorecard: Baseline, Triage, and Remediation
Runs Scorecard against a representative repository and interprets each check: branch protection, dependency update tooling, code review requirements, CI tests, binary artifacts, license, packaging, and vulnerabilities. Explains which checks are highest-leverage for enterprise procurement reviewers, how to set a minimum threshold policy across the organization, and how to build the remediation backlog so teams improve score without blocking their own release cycles.
Module 8. Dependency Review and Vulnerability Disclosure Workflow
Integrates GitHub's dependency review action into pull request workflows so license violations and newly introduced high-severity CVEs block merge rather than ship. Covers the CVSS threshold decisions, how to handle transitive dependencies that cannot be easily pinned, and how to structure the internal disclosure workflow so a reported vulnerability in a shipped artifact reaches the right team without going through a public issue tracker. Produces a written policy template that satisfies ISO 29147 disclosure expectations.
Module 9. Package Ecosystem Policy: npm, PyPI, Maven, and Container Registries
Addresses the policy decisions that apply differently across ecosystems: namespace squatting mitigations in npm, typosquatting detection in PyPI, artifact integrity verification in Maven Central, and digest pinning in container pulls. Covers what a registry-level policy document looks like for each ecosystem and how to enforce it at the GitHub Actions level without requiring every team to copy-paste the same workflow YAML. Produces one ecosystem policy template per registry type.
Module 10. GitHub Actions Security: Workflow Hardening and OIDC Scope
Works through the specific security surface that GitHub Actions introduces into the supply chain: third-party action pinning to SHA versus tag, GITHUB_TOKEN minimum-permission declarations, OIDC token scope limits per workflow, and the reusable workflow pattern for distributing security-critical steps without giving teams direct access to signing keys. Covers the CODEOWNERS and required review patterns that prevent a compromised contributor account from modifying a release workflow.
Module 11. The Compliance Summary Document: Answering Procurement Without Sharing Architecture
Builds the one-page compliance summary that answers the enterprise security questionnaire rows on SBOM, artifact signing, SLSA level, and vulnerability disclosure without requiring the buyer to read full pipeline documentation. Covers the exact fields procurement teams look for, how to describe SLSA level 2 attainment in plain language, how to reference SBOMs and signatures without embedding them in the questionnaire response, and how to keep the document current as tooling evolves.
Module 12. Implementation Roadmap: From Current State to First Signed Release
Produces the sequenced implementation plan for a team that has none of these controls today: what to ship in the first two weeks (SBOM generation for the highest-visibility repository), what to add in the first month (cosign signing for release artifacts), and what constitutes a defensible SLSA level 2 posture at the three-month mark. Includes the communication template for announcing the new controls to enterprise customers and the internal changelog format that keeps the security questionnaire answers accurate over time.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Enterprise customer security review arrives with new SBOM and attestation rows: modules 1, 11, 12 answer it.
Team needs to ship signed artifacts but has no keyless signing setup: modules 4 and 10 walk the exact implementation.
Leadership asks what SLSA level the build environment achieves: modules 5 and 6 produce the documentation.
Dependency vulnerability in a shipped artifact surfaces via a researcher report: module 8 handles the disclosure workflow.

What you get with this course

  • 12 written modules covering the full software supply chain compliance stack
  • Reusable GitHub Actions workflow templates for SBOM generation, cosign signing, and SLSA provenance
  • CycloneDX and SPDX worked examples against Node.js and Go modules
  • In-toto layout template for a standard containerised release
  • OpenSSF Scorecard remediation backlog template
  • Ecosystem policy templates for npm, PyPI, Maven, and container registries
  • One-page procurement compliance summary template
  • Hand-built implementation playbook for your specific stack and repository topology, delivered alongside course access

What you will have in hand by Day 1, Week 1, Month 1

Course access and implementation playbook delivered within 24 hours of purchase

Reusable workflow templates ready to drop into an existing GitHub Actions setup

Compliance summary template ready to send to procurement within the first week

Before and after

Before

Enterprise security questionnaires asking for SBOM, SLSA level, and artifact signatures land with no documented answer. The team knows the tooling exists but the implementation path from current CI/CD to compliant attestation record has not been assembled.

After

The pipeline generates and publishes signed SBOMs for every release. Artifact signatures are verifiable via the Sigstore transparency log. SLSA level documentation exists per build tier. The one-page compliance summary answers enterprise procurement without sharing pipeline internals.

What happens if you do not address this

The next enterprise customer security review that asks for SBOM or SLSA documentation will stall at a row with no answer. That stall shows up in procurement timelines. The EU Cyber Resilience Act timeline is not flexible; late-stage implementation is more disruptive than early-stage. And once one enterprise buyer normalises asking for signed artifacts, every other buyer in that sector follows within two renewal cycles.

Who it is for

Platform engineers, developer experience leads, and security engineers at software companies who own the CI/CD infrastructure, artifact publication pipeline, and supply chain security posture. Likely already familiar with GitHub Actions, container registries, and package manager ecosystems. Accountable when a customer security questionnaire asks for SLSA level or SBOM export and the answer is not yet documented.

Who this is NOT for. Application developers who do not own the build pipeline. Security analysts focused on vulnerability scanning rather than attestation and provenance. Teams shipping internal-only software with no enterprise customer procurement requirements.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules at approximately 30-45 minutes each. Can be worked through sequentially or by module for teams tackling a specific gap first.

Why $199 is the right number

The SLSA framework documentation and OpenSSF guides are public and thorough. What they do not provide is a sequenced implementation path for a team that owns a heterogeneous build estate and needs to produce customer-facing compliance documentation alongside the technical controls. Consulting a specialist costs significantly more and typically produces a report rather than working templates.

FAQ

Our build estate is a mix of GitHub Actions, Jenkins, and a few self-hosted runners. Does this course cover that?
Yes. The SLSA level and in-toto modules cover both cloud-hosted and self-hosted runner environments. The implementation playbook is built for your specific topology.
We already have Dependabot and some basic Scorecard checks. Is there still value here?
Yes. Dependabot and Scorecard address vulnerability detection and repository hygiene. The gap this course covers is the attestation layer: signed artifacts, SBOM publication, SLSA provenance, and the compliance documentation that answers enterprise procurement. Those are separate from automated dependency updates.
Do we need to meet the EU Cyber Resilience Act requirements now?
The CRA timeline has staggered compliance dates. Products shipping to European enterprise buyers should be building toward compliance now so the documentation and controls are in place before the first audit cycle, not after. The course maps which CRA articles apply and in what order.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!