一键导入
devsecops-supply-chain
Generate SBOM (CycloneDX/SPDX), verify SLSA provenance, audit dependency chains, and detect supply chain attack patterns.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Generate SBOM (CycloneDX/SPDX), verify SLSA provenance, audit dependency chains, and detect supply chain attack patterns.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Build USSD applications for African markets — menu design, session management, multi-operator integration, and user experience patterns for feature phones.
Generate AI Act Article 50 compliant disclosure notices, metadata tags, and content marking for AI-generated text, images, audio, and video.
Analyze contracts to identify key clauses, risks, obligations, deadlines, and parties. Multi-language support with focus on French and EU commercial law.
Detect and classify technical debt in AI-generated code — patterns specific to LLM outputs, shallow implementations, missing edge cases, and accumulation signals.
Navigate French notarial acts — fee calculation (emoluments), succession, donation, SCI creation, property transfer, and regulated fee schedules.
Structure a job search for the French/European market — CV format europass, cover letter VOUS-MOI-NOUS, job evaluation scoring, interview prep STAR, salary negotiation with French conventions.
| name | devsecops-supply-chain |
| description | Generate SBOM (CycloneDX/SPDX), verify SLSA provenance, audit dependency chains, and detect supply chain attack patterns. |
| version | 1.0.0 |
| last-updated | 2026-04-17 |
| model_tested | claude-sonnet-4-6 |
| category | devsecops |
| platforms | ["claude-code","codex","gemini-cli","cursor","copilot","windsurf","cline"] |
| language | en |
| geo_relevance | ["global"] |
| priority | high |
| dependencies | {"mcp":[],"skills":[],"apis":[],"data":[]} |
| update_sources | [{"url":"https://slsa.dev/spec/v1.0/","check_frequency":"quarterly","last_checked":"2026-04-17"}] |
| license | MIT |
| Format | Standard | Best For |
|---|---|---|
| CycloneDX | OWASP | Security-focused, VEX support |
| SPDX | Linux Foundation | License compliance, legal |
If a terminal is available, use these commands. Otherwise, describe what fields to include manually.
Node.js/npm:
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
Python/pip:
pip install cyclonedx-bom
cyclonedx-py requirements -i requirements.txt -o sbom.json
Go:
cyclonedx-gomod mod -json -output sbom.json
| Level | Requirement | How |
|---|---|---|
| SLSA 1 | Documentation of build process | Document build steps |
| SLSA 2 | Hosted build platform, signed provenance | Use GitHub Actions, sign with Sigstore |
| SLSA 3 | Hardened build platform, non-falsifiable provenance | Isolated builders, hermetic builds |
| Pattern | Detection | Prevention |
|---|---|---|
| Typosquatting | Compare package name to known packages | Pin exact versions |
| Dependency confusion | Check if internal name exists on public registry | Scope packages, configure registry priority |
| Compromised maintainer | Monitor for unusual releases, new maintainers | Pin versions + hashes, delayed adoption |
| Malicious post-install | Audit install scripts | --ignore-scripts flag, review before install |
| Star-jacking | Verify GitHub URL matches npm/PyPI metadata | Cross-reference package metadata |
--require-hashes, npm --package-lock-only)?