一键导入
supply-chain-security
SBOM generation, CVE scanning, supply chain attack detection, license compliance, dependency pinning, and artifact verification.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
SBOM generation, CVE scanning, supply chain attack detection, license compliance, dependency pinning, and artifact verification.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Session bootstrap + workflows for Pathfinder semantic navigation tools. Covers: discovery protocol, tool chaining patterns (explore, impact, audit, debug), search optimization, LSP degraded mode, and error recovery.
Playwright browser automation via MCP. Covers E2E testing, UI review, web scraping, screenshot capture, and general browser interaction. MCP-first — CLI is fallback only.
Safe command execution: input sanitization, timeout handling, output capture, error propagation. For spawning processes, shell commands, system calls.
Git conventions: conventional commits, branch naming, PR hygiene, release tagging.
Structured incident workflow: severity classification, triage, diagnosis, mitigation, postmortem, and prevention. Template-driven with blameless review.
Constructs, validates, and traverses a Directed Acyclic Graph (DAG) from scope cards for safe level-based parallel dispatch. Determines execution order via topological sort. Detects cycles and invalid dependencies.
| name | supply-chain-security |
| description | SBOM generation, CVE scanning, supply chain attack detection, license compliance, dependency pinning, and artifact verification. |
Guidelines for securing the software supply chain.
| Language | Tool | Command |
|---|---|---|
| Go | govulncheck | govulncheck ./... |
| Rust | cargo audit | cargo audit |
| Python | pip-audit | pip-audit |
| Node.js | npm audit | npm audit |
| Java | OWASP Dependency-Check | mvn dependency-check:check |
| .NET | Built-in | dotnet list package --vulnerable |
| Ruby | bundle audit | bundle audit check --update |
| PHP | composer audit | composer audit |
# CycloneDX format (recommended)
# Go
cyclonedx-gomod mod -json -output sbom.json
# Node.js
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# Python
cyclonedx-py poetry --format json -o sbom.json
| License | Risk | Action |
|---|---|---|
| MIT, BSD, Apache 2.0 | Low | Permissive — generally safe |
| LGPL | Medium | Review linking requirements |
| GPL | High | Copyleft — may require source disclosure |
| AGPL | Critical | Network copyleft — consult legal |
| No license | Critical | Cannot use — no rights granted |
license-checker (Node.js), pip-licenses (Python), cargo-license (Rust)package-lock.json, go.sum, Cargo.lock, poetry.lock