Purpose

The CleanStart Knowledge Hub contains 180+ documentation files organized across 8 pillars covering every aspect of container security, supply chain verification, compliance, and production operations. This guide helps you navigate this extensive collection efficiently based on your role, experience level, and specific goals.

The entire knowledge system is structured to support multiple entry points. If you are new to containers and containerization, you should start at the fundamentals to understand core concepts before diving into advanced topics. If you are a DevOps engineer responsible for deploying containers to production, you can jump directly to operational patterns and deployment procedures that address your immediate needs. If you represent your organization's security team and need to evaluate supply chain controls, verify cryptographic signatures, and ensure compliance with regulations, the security-first path guides you through vulnerability management, image signing, SBOM generation, and policy enforcement. If you are a manager or executive justifying the investment in container security infrastructure, the business case section explains return on investment, risk mitigation, and competitive advantages. The guide below provides curated reading paths for each role, plus a quick reference table to help you quickly answer the question "I need to..." and find the right document.

Training Tier Classification

Each document in the CleanStart Knowledge Hub falls into one of four training tiers. Understanding these tiers helps you plan learning curricula, assess organizational readiness, and structure training programs appropriately.

Tier 1: Vendor-Neutral Concepts (Approximately 35 documents)

Tier 1 documents provide foundation knowledge that applies universally to any container platform, orchestration system, or cloud provider. These documents assume no prior knowledge and establish the conceptual bedrock upon which all advanced topics are built. Start here if your learners are new to containers, if your organization is just beginning to understand software supply chain security, or if your team lacks cloud-native experience.

Tier 1 documents are primarily located in the 01-Understand pillar, though some foundational concept documentation exists throughout the 02-Explore and 03-Learn pillars. The key topics covered include the fundamentals of containers and container images, how registries work and why they matter, package managers and dependency resolution, understanding CVEs and vulnerability scoring, what SBOMs (Software Bills of Materials) are and why regulators require them, SLSA (Supply-chain Levels for Software Artifacts) compliance levels and their requirements, Sigstore and cryptographic image signing, major compliance frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP), CI/CD pipeline concepts and security controls, Kubernetes fundamentals and architecture, and Helm package management for Kubernetes applications.

The boundary between Tier 1 and other tiers is clear: if a document explains a universal concept without requiring knowledge of CleanStart-specific tooling, workflows, or design decisions, it belongs in Tier 1. A document explaining what a container is, how images are built, or why supply chain security matters belongs in Tier 1. A document explaining CleanStart's specific implementation approach does not.

Tier 2: CleanStart Deep Dive (Approximately 20 documents)

Tier 2 documents dive deeply into CleanStart's architecture, design decisions, technical internals, and the specific rationale for how CleanStart implements container security differently from traditional approaches. These documents assume you have completed Tier 1 and understand foundational container concepts. Read Tier 2 after establishing Tier 1 knowledge.

Tier 2 documents are located primarily in the 02-Explore deep-dives section, the 03-Learn architecture documentation, and select comparison documents in the 03-Learn pillar. Key topics include CleanStart's two-factory architecture and how it differs from traditional build systems, the APK (Alpine Package Keeper) and GLIBC design choices and their security implications, the 11 distinct build artifacts that CleanStart produces and what each one is for, the verified source philosophy and how it reduces supply chain attack surface, the zero-trust supply chain model and multi-stage verification, the image signing model and how signatures flow through the system, and the overall CleanStart security model and defense-in-depth approach.

The boundary for Tier 2 is specific: if a document explains why CleanStart works the way it does (its architecture, design rationale, comparison to alternative approaches), it belongs in Tier 2. A document comparing CleanStart to traditional container registries belongs in Tier 2. A document explaining how to deploy CleanStart in your environment belongs in Tier 3.

Tier 3: Operations (Approximately 70 documents)

Tier 3 is the largest tier and contains day-to-day operational procedures, practical deployment patterns, monitoring strategies, compliance enforcement mechanisms, and incident response procedures. These are the documents your teams will reference regularly as they operate production systems.

Tier 3 documents cover deployment patterns for different architectures (serverless, Kubernetes, hybrid), production monitoring and observability, compliance enforcement using policies and automation, incident response procedures and playbooks, troubleshooting guides for common issues, performance optimization and capacity planning, security event handling and audit requirements, GitOps and continuous deployment patterns, secrets management in production, and cost optimization strategies. These documents assume you understand both Tier 1 concepts and CleanStart's Tier 2 architecture, and they focus on practical implementation and operational excellence.

Tier 4: Hands-On Labs and Capstone Projects (Approximately 30 documents)

Tier 4 documents are interactive, hands-on learning resources that walk you through building real systems, deploying to production, and solving complex multi-step problems. These documents are the capstone of learning paths and are best approached after completing relevant Tier 1, 2, and 3 documents.

Tier 4 includes containerizing applications of various types, setting up secure registries, implementing supply chain controls, hardening existing container deployments, deploying to Kubernetes with security policies, implementing continuous scanning and vulnerability management, responding to security incidents, and building automated compliance systems. Each Tier 4 document includes hands-on labs, code examples, configuration files, verification steps, and success criteria so learners can validate their work.

Role-Based Learning Paths

Organizations have different roles and responsibilities. The paths below are curated for each major role and show the recommended reading order, prerequisites, and estimated time to completion.

Path 1: Developer (Building Container Applications)

Duration: 4-6 weeks (30-40 hours) Prerequisites: Some programming experience; containers optional but helpful Goal: Write Dockerfiles, understand image security, build verified images, implement secrets management

Recommended Reading Order:

Start with Tier 1 foundational concepts. Begin with "What is a Container?" to understand containerization from first principles. This document covers the union filesystem, Linux namespaces, cgroups resource isolation, and how applications perceive the container environment. Then read "Container Images and Layers Explained" to understand image structure, the build cache, layer deduplication, and how base images determine vulnerability surface. After building this conceptual foundation, read "Dockerfile Best Practices" to learn how to write efficient, secure, minimal Dockerfiles that follow security principles from the beginning of development.

Move on to "Building and Pushing Images" to understand the complete build and registry workflow, including authentication to registries, image tagging conventions, and what happens when you push an image. Read "Container Security Best Practices: From Build to Runtime" to understand how security decisions made at build time affect production deployments. This includes choosing minimal base images, using multi-stage builds, avoiding hardcoded secrets, pinning dependency versions, and signing images.

Next, review "Container Registries Compared" to understand which registry is appropriate for different scenarios. If your organization uses a specific registry such as ECR, GCR, Docker Hub, or Harbor, read the specific section to understand its authentication model, scanning capabilities, and integration patterns.

Then study supply chain security concepts. Read "SBOM Fundamentals and Generation" to understand what a Software Bill of Materials is, why regulators require SBOMs, and how to generate them from your applications. Read "Container Image Signing and Verification" to learn how Cosign works, what keyless signing provides, and how to integrate signing into your build pipeline. Read "SLSA Framework and Supply Chain Levels" to understand SLSA levels 0-4 and what your organization's target level requires.

Finally, move to hands-on labs in Tier 4. Complete "Hands-On: Build a Verified Container Image from Scratch", which walks through creating a Dockerfile, building the image, scanning it for vulnerabilities, generating an SBOM, signing the image, and pushing it to a registry. Complete "Hands-On: Implement Secrets Management in Your Application" to learn how to avoid hardcoding secrets and use Kubernetes Secrets or external vaults.

Path 2: DevOps / Platform Engineer (Deploying and Operating Containers at Scale)

Duration: 6-10 weeks (40-60 hours) Prerequisites: Kubernetes familiarity; some infrastructure experience Goal: Deploy applications securely, implement compliance policies, monitor production containers, respond to incidents

Recommended Reading Order:

Begin with Tier 1 fundamentals but focus on operations and infrastructure topics. Read "Kubernetes Fundamentals for Container Security" to understand how Kubernetes isolates workloads, manages networking, handles secrets, and enforces security policies. Then read "Container Registries Compared" with focus on enterprise registries such as ECR, GCR, and ACR and their integration with Kubernetes.

Move into Tier 2 to understand CleanStart's architecture. Read "CleanStart Two-Factory Architecture" to understand how verified images are built differently. Read "CleanStart Security Model" to understand defense-in-depth from image through deployment.

Then focus on Tier 3 operational procedures. Read "Deploying Verified Images to Kubernetes" to understand deployment procedures that enforce signature verification, require SBOMs, and validate security contexts. Read "Network Security in Kubernetes" to understand network policies, service meshes, and egress filtering. Read "Persistent Storage and Secrets Management" to understand how to manage stateful data securely.

Study compliance and monitoring next. Read "Container Security Compliance" to understand how to map your deployments to compliance requirements. Read "Implementing Image Scanning at Scale" to understand continuous vulnerability scanning of all running containers. Read "Audit Logging and Incident Response" to understand how to log security events and respond to incidents.

Finally, complete Tier 4 hands-on labs. Complete "Hands-On: Deploy Verified Images to a Production Kubernetes Cluster", which walks through configuring Kubernetes admission controllers, enforcing signature verification, deploying applications, and monitoring for policy violations. Complete "Hands-On: Implement Continuous Scanning and Remediation" to set up automated scanning of all running containers and automatic pod disruption for critical vulnerabilities.

Path 3: Security / Compliance Engineer (Evaluating and Enforcing Security Controls)

Duration: 8-12 weeks (50-80 hours) Prerequisites: Security concepts; compliance frameworks; Linux/Kubernetes helpful Goal: Understand supply chain attacks, implement supply chain security controls, verify compliance, respond to security incidents

Recommended Reading Order:

Start with Tier 1 supply chain security concepts. Read "Software Supply Chain Security Fundamentals" to understand the attack surface, real-world incidents including SolarWinds, Log4Shell, and XZ Utils, and why the supply chain is a critical target. Read "CVE, NVD, and Vulnerability Databases" to understand how vulnerabilities are discovered, recorded, scored, and exploited. Read "SBOM: From Generation to Analysis" to understand SBOMs as security artifacts that enable rapid vulnerability response and supply chain verification.

Next, read "Container Image Signing and Verification" to understand cryptographic proof of provenance. Read "SLSA Framework and Supply Chain Levels" to understand supply chain maturity and what organizations should target. Read "Compliance Frameworks: SOC 2, ISO 27001, PCI-DSS, HIPAA" to understand how different regulations affect container deployments.

Move to Tier 2 architecture. Read "CleanStart Security Model" and "Supply Chain Security in CleanStart" to understand how verified images fit into a zero-trust supply chain. Read "Image Signing and Verification in CleanStart" to understand the specific signing model.

Then focus on Tier 3 implementation. Read "Implementing Supply Chain Controls in Kubernetes" to understand how to enforce that only verified images run in your cluster. Read "Policy Enforcement with OPA/Gatekeeper" to learn how to write policies that require SBOMs, verify signatures, enforce minimum SLSA levels, and restrict registries. Read "Vulnerability Management at Scale" to understand scanning, response, and remediation processes. Read "Compliance Monitoring and Reporting" to understand how to continuously verify compliance and generate audit reports.

Study incident response by reading "Security Incident Response and Forensics" to understand how to investigate container security breaches, extract artifacts, and perform post-incident analysis.

Finally, complete advanced Tier 4 labs. Complete "Hands-On: Implement Zero-Trust Supply Chain Controls", which walks through setting up signature verification, policy enforcement, continuous scanning, and incident response for a production cluster. Complete "Hands-On: Achieve Compliance Certification", which demonstrates how to meet SOC 2, PCI-DSS, or HIPAA requirements for containerized systems.

Path 4: Security Architect / Decision-Maker (Enterprise Container Strategy)

Duration: 3-4 weeks (15-25 hours, executive summary) Prerequisites: High-level understanding of IT infrastructure Goal: Understand supply chain risks, evaluate solutions, justify investment, make architectural decisions

Recommended Reading Order:

Read the executive summary and key statistics in the Knowledge Hub introduction. Read "Business Case for Container Security", which explains return on investment, breach cost avoidance, and competitive advantages of verified images.

Read "Supply Chain Attack Case Studies" to understand real-world incidents and how they could have been prevented. Read "Compliance Requirements and Container Security" to understand regulatory drivers, including executive orders, NIST guidance, and industry standards.

Read "CleanStart Value Proposition", which explains the specific advantages of verified images, supply chain transparency, and reduced operational burden compared to alternatives.

Finally, read "Adoption Decision Framework", which helps determine if and when your organization should invest in container security, what implementation path to follow, and what resources are required. This document provides organization-size specific guidance and risk/benefit analysis.

Quick Reference: "I Need To..."

Use this table to quickly find the right document based on your immediate need. Entries reference the specific Tier and section where you'll find relevant information.

Maturity Levels and Learning Progressions

The Knowledge Hub also organizes documents by organizational maturity level, reflecting how container security adoption typically progresses.

Level 1: Initial (Just getting started). You have some container deployments but limited security controls. Focus on Tier 1 fundamentals and quick wins in compliance. Prioritize the following documents: Dockerfile Best Practices, Container Security Best Practices, Container Registries Compared, and Vulnerability Scanning Basics.

Level 2: Developing (Building capability). You have basic controls in place and are standardizing practices. Move to Tier 2 architecture understanding and Tier 3 operational procedures. Prioritize these documents: CleanStart Architecture, Deploying Verified Images, Policy Enforcement Basics, and Compliance Monitoring Foundations.

Level 3: Managed (Mature practices). You have comprehensive controls, consistent compliance, and organized processes. Focus on advanced Tier 3 procedures and Tier 4 capstone projects. Prioritize these documents: Advanced Policy Enforcement, Supply Chain Security Advanced Patterns, Incident Response Automation, and Cost Optimization at Scale.

Level 4: Optimized (Continuous improvement). You have automated, measurable, continuously improving security processes. Focus on strategic Tier 2 documents and advanced Tier 4 projects. Prioritize research and emerging standards, advanced architecture patterns, and contributing to open standards.

Recommended Implementation Checklist

As you work through these learning paths, use this checklist to ensure you're implementing knowledge rather than just reading:

Foundation Phase (Weeks 1-2): Read all assigned Tier 1 documents for your role. Understand your organization's current container practices. Identify any existing deployments and their security posture. Establish a learning group or mentorship relationship.

Implementation Phase (Weeks 3-8): Complete all Tier 2 documents relevant to your role. Begin working through Tier 3 operational procedures. Execute hands-on labs from Tier 4 in a controlled environment. Document what you learn and share insights with your team.

Deployment Phase (Weeks 9+): Implement controls in your development environment. Test against your actual applications and workloads. Document the operational procedures you create. Deploy to your staging environment. Conduct incident response drills. Finally, deploy to production with appropriate monitoring in place.

Continuous Improvement: Review the documentation quarterly as new documents are added. Participate in community forums and discussions. Contribute your own patterns and solutions back to the community. Keep up with emerging standards and threats in the container security landscape.

How to Navigate as a Team

If your entire team is learning together, consider this approach. Start with a shared Tier 1 reading list and regular discussion meetings to ensure everyone understands fundamentals. Organize role-specific learning groups for Tier 2 and 3 content so team members focus on relevant material. Combine individuals' hands-on lab experiences into broader team capability. Have advanced team members mentor others who are earlier in their learning journey. Share insights and learnings across the organization through presentations and documentation. Maintain a knowledge base of your implementations and customizations for future reference.

Resources and Support

Additional resources complement this learning path. The Knowledge Hub repository contains all documents plus code examples, configurations, and templates. The community forum enables discussion, Q&A, and sharing of experiences. Vendor-specific documentation for your chosen registry, platform, and tools is always the authoritative source of truth for that system. Industry standards documents from NIST, SLSA, and SBOM specifications provide authoritative guidance. Regular webinars and training sessions help refresh knowledge and introduce new capabilities as they emerge.