A DevSecOps maturity roadmap
Where to start, and what "good" looks like.
This course covers a lot, and no team adopts it all at once. The practical question is sequence: where do you start, and what does "good" look like at each stage? Supply-chain security is a maturity journey, and the highest-leverage controls are cheap and come first — you get most of the risk reduction from a handful of foundational habits before you ever touch SLSA L3 or admission verification.
Start where the leverage is
If you are starting from nothing, the order is clear: protect the default branch and require review; add secret detection and dependency scanning as gating CI stages; pin dependencies and base images; and harden your runners (isolated, ephemeral, no stored production keys). Those foundational controls are inexpensive and stop the most common attacks — unreviewed changes, committed secrets, known-vulnerable dependencies, and compromised build environments. Only once that base is solid do signing, SBOMs, and admission verification add their layer on top.
What "good" looks like
A mature DevSecOps supply chain has a property you can state simply: every artifact running in production is traceable to reviewed source, built by a trusted pipeline, signed and attested, verified at admission, inventoried by an SBOM, and continuously rescanned — and each of those is enforced automatically, not left to discipline. You cannot deploy something unsigned; you can answer "what is in production and where did it come from?" in minutes; and a new CVE is a query, not a crisis. That is the destination this whole course maps toward, one enforced link at a time.