Skip to content
>_
SecOps
Log
_
Home
Courses
Learning path
Resources
Topics
Blog
All courses
Software supply chain in depth
Advanced
5 sections · 15 lessons · ~9h total · 60-question self-test
Start course
01
Threat model & SLSA
3 lessons
Test yourself
01
Supply-chain threat model
The trust handoffs from commit to deploy, and how they break.
30 min
02
SLSA levels & provenance
The Build track, L1–L3, and non-falsifiable provenance.
35 min
03
Hermetic & reproducible builds
Pinned inputs, isolation, bit-identical output.
30 min
02
Provenance & in-toto
3 lessons
Test yourself
01
Build provenance in practice
What it asserts and why the build must be hardened.
30 min
02
in-toto attestations
Subject, predicate, and composing evidence.
35 min
03
Verification summary & policy
VSAs and requiring multiple claims before trust.
25 min
03
Sigstore & signing
3 lessons
Test yourself
01
cosign: sign & verify by identity
Verify who signed, not just that it is signed.
35 min
02
Fulcio & keyless signing
Short-lived certs bound to OIDC identity.
30 min
03
Rekor transparency log
Durable, tamper-evident proof of signing.
30 min
04
SBOM & dependency integrity
3 lessons
Test yourself
01
SBOMs with Syft
SPDX/CycloneDX, signed and attached by digest.
30 min
02
Scanning, VEX & re-scan
Gate on what matters; catch new CVEs later.
30 min
03
Dependency integrity
Pin, lock, verify; confusion and typosquats.
30 min
05
Admission & pipeline hardening
3 lessons
Test yourself
01
Verify at admission
policy-controller/Kyverno; identity + attestations by digest.
35 min
02
Registry security
Push control, immutable tags, trust the digest.
25 min
03
Hardening the pipeline
Pin actions by SHA, OIDC, ephemeral runners.
35 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.
Start final exam