Overview
What this challenge is about.
Audit the current state: dependency tree, publish process, GitHub Actions workflows, signing posture. Generate an SBOM (CycloneDX format) using Syft. Run OpenSSF Scorecard and triage the top 8 deficiencies. Implement: dependency pinning + automated Dependabot review, signed commits + tagged releases (Sigstore), build provenance attestations (SLSA Level 3 via slsa-github-generator), reproducible builds for the NPM artifact, and a 2-person publish approval workflow. Generate per-release attestations and publish to GitHub's attestation store. Author a 4-page external-facing SECURITY.md + supply-chain policy. Deliver the hardened pipeline, SBOM + attestations, and security policy.
The Brief
What you'll do, and what you'll demonstrate.
Harden the supply chain of an open-source SDK to SLSA Level 3 and publish SBOM + attestations on every release.
Earning criteria — what you'll demonstrate
- Generate SBOMs and attach them to releases
- Implement SLSA Level 3 build provenance using GitHub Actions
- Sign commits + releases with Sigstore + Cosign
- Author a public supply-chain policy users and security researchers trust
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.