Synthora
Sign inGet started
AdvancedSelf-paced (~16 hrs) Synthora STA certified HRDF-claimable

Software Supply Chain Security: SBOM, SLSA & Sigstore

The EU Cyber Resilience Act mandates SBOMs by 2027. Get ahead of the compliance wave now.

About this course

Supply chain attacks (SolarWinds, Log4Shell, XZ Utils) have made software supply chain security a board-level priority. The EU Cyber Resilience Act (2027) and US Executive Orders now mandate Software Bills of Materials (SBOMs) for software products. This course covers the full supply chain security lifecycle: SBOM generation and management, SLSA framework implementation, artifact signing with Sigstore/Cosign, dependency governance, and policy enforcement in CI/CD pipelines.

What you'll achieve

  • Generate and manage SBOMs in CycloneDX and SPDX formats using Syft
  • Implement SLSA Levels 1–3 to harden your build pipeline provenance
  • Sign and verify software artifacts using Sigstore and Cosign
  • Track and govern open source dependencies with OWASP Dependency-Track
  • Automate dependency updates and vulnerability triage with Dependabot and Renovate
  • Build a compliant supply chain pipeline meeting EU CRA and NIST SSDF requirements

Curriculum

  1. Module 1

    Supply Chain Threats & Attack Taxonomy

    SolarWinds · Log4Shell · XZ Utils post-mortem · Attack taxonomy · SLSA threat model · Regulatory landscape

  2. Module 2

    SBOM Fundamentals & Generation

    What is an SBOM? · CycloneDX vs SPDX · Syft & Grype · Trivy SBOM · SBOM for containers · SBOM for code

  3. Module 3

    SLSA Framework: Build Provenance

    SLSA levels explained · Provenance generation · GitHub Actions SLSA builder · Verifying provenance · Reaching SLSA L3

  4. Module 4

    Artifact Signing with Sigstore & Cosign

    Keyless signing · Cosign sign & verify · Rekor transparency log · Policy enforcement with Kyverno · OCI registry signing

  5. Module 5

    Dependency Governance

    OWASP Dependency-Track · Dependabot & Renovate automation · CVE triage workflow · License compliance · Private package security

  6. Module 6

    CI/CD Pipeline Hardening

    Pinning actions & images · Least privilege tokens · Secrets scanning · JFrog Artifactory governance · Supply chain policy as code

  7. Module 7

    Compliance: EU CRA, NIST SSDF & Malaysia Cybersecurity Act

    EU CRA requirements · NIST SSDF mapping · Malaysia Cybersecurity Act 2024 · Audit evidence collection · Compliance reporting

Who this is for

  • DevSecOps engineers embedding security into software delivery
  • Security architects designing supply chain governance frameworks
  • Compliance and risk teams managing software regulatory obligations
  • Software vendors exporting products to the EU market

Tools & technologies

Syft Grype Trivy Cosign Sigstore Rekor Dependabot OWASP Dependency-Track Kyverno GitHub Actions

Prerequisites

  • DevOps or DevSecOps experience (CI/CD pipeline familiarity)
  • Basic container knowledge (Docker)
  • Understanding of package managers (npm, pip, Maven)