Overview
What this challenge is about.
Audit the current build and deploy pipeline against the SLSA 1.0 specification. Identify SLSA-3 gaps (typically: provenance generation, hermetic builds, two-person review, signed provenance). Implement: (1) build-system provenance with SLSA GitHub Generator, (2) Cosign signing on containers AND provenance, (3) policy enforcement at the cluster admission layer via Sigstore policy-controller or Kyverno. Validate end-to-end on a representative service. Deliver an audit report, the implemented controls, a 10-page architecture document, and a procurement-facing attestation summary.
The Brief
What you'll do, and what you'll demonstrate.
Harden a container supply chain to SLSA Level 3 with provenance, signing, and admission-policy enforcement, validated end-to-end on a representative service.
Earning criteria — what you'll demonstrate
- Read the SLSA 1.0 specification and apply it to a real pipeline
- Generate, sign, and verify provenance with Sigstore tooling
- Enforce admission policy that rejects unsigned or unprovenanced artifacts
- Communicate supply-chain hygiene to non-technical procurement reviewers
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.