A DevSecOps maturity roadmap

Where to start, and what "good" looks like.

Advanced12 min · lesson 18 of 18

This course covers a lot, and no team adopts it all at once. The practical question is sequence: where do you start, and what does "good" look like at each stage? Supply-chain security is a maturity journey, and the highest-leverage controls are cheap and come first — you get most of the risk reduction from a handful of foundational habits before you ever touch SLSA L3 or admission verification.

A DevSecOps maturity roadmap
foundational (do first, cheap)
branch protection + review
reviewed source
secret + dependency scanning
in CI, gating
pinned deps + lockfiles
known inputs
isolated CI runners, no stored keys
harden the build
advancing (build on the base)
sign images (keyless)
Sigstore in CI
SBOM per build, stored + queryable
inventory
verify at admission
enforce signing
leading
SLSA L3 provenance
hardened builders
require provenance at admission
full chain enforced
continuous rescan + VEX
operated, not one-off
Left to right, roughly in order. Each stage is useful on its own; you do not need the right column to benefit from the left.

Start where the leverage is

If you are starting from nothing, the order is clear: protect the default branch and require review; add secret detection and dependency scanning as gating CI stages; pin dependencies and base images; and harden your runners (isolated, ephemeral, no stored production keys). Those foundational controls are inexpensive and stop the most common attacks — unreviewed changes, committed secrets, known-vulnerable dependencies, and compromised build environments. Only once that base is solid do signing, SBOMs, and admission verification add their layer on top.

What "good" looks like

A mature DevSecOps supply chain has a property you can state simply: every artifact running in production is traceable to reviewed source, built by a trusted pipeline, signed and attested, verified at admission, inventoried by an SBOM, and continuously rescanned — and each of those is enforced automatically, not left to discipline. You cannot deploy something unsigned; you can answer "what is in production and where did it come from?" in minutes; and a new CVE is a query, not a crisis. That is the destination this whole course maps toward, one enforced link at a time.

Perfect is the enemy of shipped security
The trap at this level is treating the full chain as all-or-nothing and, faced with its size, doing little. Every link you secure and enforce reduces real risk on its own — branch protection alone, or signing alone, is a genuine improvement. Adopt incrementally, enforce what you adopt (an unenforced control is not adopted), and keep climbing. A partial chain that is actually enforced beats a complete design that lives only on a diagram.