Supply Chain Security roadmap

Secure the build pipeline and dependencies: SBOMs, artifact signing, provenance, and SLSA. Build on secure SDLC and CI/CD, then add provenance, signing, and dependency risk management.

1 courses6 resourcesProduct security

Step-by-step path

Dependencies, transitive risk, and generating SBOMs (Syft)
Sign and verify artifacts with Sigstore (Cosign, Fulcio, Rekor)
Apply SLSA provenance and harden CI/CD against tampering
Build a portfolio artifact and publish a short writeup.

Starter stack

SBOMSLSASigstoreCI/CD

Free: SLSA framework Free: Sigstore

Best next resources

Securing Your Software Supply Chain with Sigstore (LFS182)Linux Foundation · Free SLSA FrameworkOpenSSF · Free SigstoreOpenSSF · Free OpenSSFLinux Foundation · Free OWASP Dependency-CheckOWASP · Free in-totoin-toto · Free