원클릭으로
source-command-audit-deps-audit
Dependency & supply-chain audit (security-team) — lockfile, pinning, CVEs → backlog.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Dependency & supply-chain audit (security-team) — lockfile, pinning, CVEs → backlog.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Domain Engineering diagnostic — shows what the classifier decides for an objective (CMIS/DAS/profile/skills/mode). Observation-only; never mutates or blocks.
Business-driven methodology entry point — classify (intake), create/advance an Operation or Business work context, and drive the intake → operation → nested-workflow flow. Host-neutral; dry-run by default.
Workflow Navigator — shows the current phase, deliverables, and next commands for an ADR-0057 workflow. Read-only; never mutates state.
Start a focused session on one objective — locks scope, blocks opportunistic refactors.
Deterministic QA gate (ADR-0055) — run the project suite; green + complete acceptance criteria ⇒ qa-approve testing cards into conclusion; red ⇒ report (and qa-reject only attributable failures).
L6 — autonomous feature pipeline. Drives the full squad: design → implement → review → test → log. Checkpoints can be manual or automatic.
| name | source-command-audit-deps-audit |
| description | Dependency & supply-chain audit (security-team) — lockfile, pinning, CVEs → backlog. |
Use this skill when the user asks to run the migrated source command deps-audit.
Run the security-team's dependency / supply-chain check, then feed the backlog.
Audit (writes findings for ingestion):
node contextkit/tools/scripts/deps-audit.mjs --write
Detects: missing lockfile (non-reproducible installs), unbounded version
ranges, license-policy violations (deny-list / allow-list from
contextkit/config.json → deps.licenses), lockfile drift (a declared dep
missing from the lockfile), and — when the toolchain is present —
npm/pnpm/yarn audit CVEs (severity-mapped critical→5 … info→1).
Generate a CycloneDX SBOM (provenance):
node contextkit/tools/scripts/deps-audit.mjs --sbom # → contextkit/memory/sbom.json
Staleness / abandonment (ADR-0047 — the only audit step that touches the network, so it's opt-in):
node contextkit/tools/scripts/deps-audit.mjs --registry --write
Flags a deprecated latest and packages with no publish in 2+ years. An
unreachable registry shows up as a registry-skipped finding — a skip,
never a pass.
Feed the DevPipeline backlog — each issue becomes an auto-prioritized task:
node contextkit/tools/scripts/pipeline.mjs ingest contextkit/memory/deps-findings.json --type chore
Idempotent (re-runs don't duplicate). Priorities are always editable
(pipeline.mjs prioritize <id> <P> or /pipeline).
Interpret with judgment (delegate to the security agent): which advisories
are actually reachable/exploitable in THIS app vs transitive noise? Recommend the
fix (upgrade · pin · replace · accept-with-reason). On a Critical/High, the
security-team can block the release.
Report: counts by severity + the top items + what was ingested.
GitHub-native (optional, loop-closer) — if the repo is on GitHub, pull its
Dependabot + code-scanning alerts into the same backlog (needs the gh CLI,
authenticated):
node contextkit/tools/scripts/gh-alerts.mjs --write
node contextkit/tools/scripts/pipeline.mjs ingest contextkit/memory/gh-alerts-findings.json --type chore
Set up the scaffolding (.github/dependabot.yml + the security workflow) with
/security-setup.
Stack note: Node is audited deterministically. For Python (requirements.txt /
pyproject.toml) the command flags that pip-audit / safety should run.