Domain
Security
Skill Profile
Supply Chain Security
SBOM, Sigstore/Cosign, dependency scanning, container image signing
Security
Supply Chain Security
Roles
4
where this skill appears
Levels
5
structured growth path
Mandatory requirements
15
the other 5 optional
Group
Supply Chain Security
Last updated
3/17/2026
How to Use
Choose your current level and compare expectations. The items below show what to cover to advance to the next level.
What is Expected at Each Level
The table shows how skill depth grows from Junior to Principal. Click a row to see details.
| Role | Required | Description |
|---|---|---|
| Application Security Engineer | Required | Understands basic Supply Chain Security concepts. Follows security guidelines. Recognizes typical code vulnerabilities. |
| DevSecOps Engineer | Required | Understands basic SBOM concepts: software bill of materials formats (SPDX, CycloneDX), dependency tracking, and license compliance fundamentals. Follows security guidelines for reviewing dependency vulnerabilities using automated scanning tools. Recognizes common supply chain attack vectors. |
| Release Engineer | Knows what SBOM (Software Bill of Materials) is and why it is needed for supply chain security. Can generate SBOM with Syft or SPDX tools. | |
| Security Analyst | Required | Understands basic supply chain security concepts: SBOM generation, dependency vulnerability databases (NVD, OSV), and package provenance verification. Follows security guidelines for triaging dependency alerts and documenting component inventories. Recognizes common supply chain risks in third-party software. |
| Role | Required | Description |
|---|---|---|
| Application Security Engineer | Required | Applies SBOM and supply chain security practices in CI/CD pipelines: integrates SCA tools (Snyk, Grype, Trivy), enforces license policies, and automates vulnerability patching workflows. Conducts security reviews of dependency trees and evaluates third-party component risks for production applications. |
| DevSecOps Engineer | Required | Applies Supply Chain Security in daily work. Conducts security code review. Uses scanning and analysis tools. |
| Release Engineer | Integrates SBOM generation into the CI/CD pipeline. Configures dependency vulnerability scanning (Grype, Trivy). Implements vulnerability management workflow. | |
| Security Analyst | Required | Applies supply chain security analysis in daily work: reviews SBOM outputs for vulnerability exposure, tracks CVE impact across dependency graphs, and assesses third-party component risks. Uses SCA scanning tools to monitor software composition and produces risk reports for stakeholders. |
| Role | Required | Description |
|---|---|---|
| Application Security Engineer | Required | Designs security solutions with Supply Chain Security. Conducts threat modeling. Implements security practices in SDLC. Mentors the team. |
| DevSecOps Engineer | Required | Designs security solutions with Supply Chain Security. Conducts threat modeling. Introduces security practices into SDLC. Mentors the team. |
| Release Engineer | Designs comprehensive supply chain security for the organization: SBOM, signed artifacts, SLSA compliance. Implements artifact signing with Sigstore/cosign. | |
| Security Analyst | Required | Designs security solutions with Supply Chain Security. Conducts threat modeling. Integrates security practices into SDLC. Mentors the team. |
| Role | Required | Description |
|---|---|---|
| Application Security Engineer | Required | Defines supply chain security strategy: establishes SBOM generation standards, SCA tool governance, and dependency management policies across the organization. Coordinates incident response for supply chain compromises. Trains development teams on secure dependency practices and SLSA framework adoption. |
| DevSecOps Engineer | Required | Defines DevSecOps supply chain security strategy: establishes SBOM automation pipelines, artifact signing policies (Sigstore, in-toto), and dependency allowlisting governance. Coordinates cross-team response to supply chain incidents. Trains teams on software provenance verification and SLSA compliance. |
| Release Engineer | Defines supply chain security strategy. Makes decisions on SLSA compliance level. Manages vendor risk assessment. This skill is critically important for successful performance in the role. | |
| Security Analyst | Required | Defines organizational supply chain security strategy: establishes SBOM compliance requirements, vulnerability SLA policies, and third-party risk assessment frameworks. Coordinates incident response for dependency compromises across teams. Trains analysts on supply chain threat intelligence and regulatory compliance. |
| Role | Required | Description |
|---|---|---|
| Application Security Engineer | Required | Defines enterprise supply chain security architecture: shapes SBOM standardization across business units, evaluates emerging provenance technologies (SLSA, VEX, SCITT), and drives regulatory compliance strategy. Represents the organization in industry security groups and influences supply chain security standards. |
| DevSecOps Engineer | Required | Defines corporate Supply Chain Security strategy: SLSA Level 3+, SBOM generation (Syft/CycloneDX) for all artifacts, in-toto attestations. Designs Sigstore integration for signing and verifying the entire software supply chain. Introduces policy-as-code for automated provenance verification. |
| Release Engineer | Shapes software supply chain security standards for the organization. Participates in SLSA framework development. Influences industry security practices. | |
| Security Analyst | Required | Defines enterprise security strategy for software supply chain: shapes SBOM adoption across the organization, evaluates emerging standards (SLSA, VEX, OpenSSF Scorecard), and coordinates regulatory compliance. Represents the organization in the security community and influences industry supply chain practices. |
Loading comments...
Sign In to join the discussion