一键导入
sbom-supply-chain
Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | sbom-supply-chain |
| type | skill |
| description | Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain. |
| related-rules | ["supply-chain-security.md (ci-cd)","shift-left-policy.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Syft/Trivy SBOM generation, cosign SBOM attestation, SLSA provenance, dependency pinning, OCI attestations.
When generating SBOMs for images, attaching attestations to OCI registry, verifying supply chain integrity, or achieving SLSA compliance.
# Generate CycloneDX SBOM from image (OCI)
syft registry.example.com/myorg/order-service:v1.2.3 \
-o cyclonedx-json=sbom.cdx.json
# Generate SPDX SBOM from image
syft registry.example.com/myorg/order-service:v1.2.3 \
-o spdx-json=sbom.spdx.json
# Generate from local directory (during build)
syft dir:. -o cyclonedx-json=sbom.cdx.json
# Generate from Dockerfile build context (before push)
syft packages docker:myimage:latest -o cyclonedx-json=sbom.cdx.json
# Sign image and attach SBOM as OCI attestation
# Step 1: Build and push image
docker buildx build --push \
-t registry.example.com/myorg/order-service:v1.2.3 .
# Step 2: Get digest
DIGEST=$(crane digest registry.example.com/myorg/order-service:v1.2.3)
# Step 3: Generate SBOM
syft registry.example.com/myorg/order-service:v1.2.3 \
-o cyclonedx-json=sbom.cdx.json
# Step 4: Attach SBOM as attestation (Sigstore keyless)
cosign attest \
--predicate sbom.cdx.json \
--type cyclonedx \
registry.example.com/myorg/order-service@${DIGEST}
# Step 5: Verify attestation exists
cosign verify-attestation \
--type cyclonedx \
--certificate-identity-regexp ".*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
registry.example.com/myorg/order-service@${DIGEST} \
| jq '.payload | @base64d | fromjson | .predicate.metadata'
# .github/workflows/supply-chain.yml
jobs:
build-sign-attest:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # for cosign keyless signing
steps:
- uses: actions/checkout@v4
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Install syft
uses: anchore/sbom-action/download-syft@v0
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
push: true
tags: registry.example.com/myorg/order-service:${{ github.sha }}
- name: Sign image (keyless via OIDC)
run: |
cosign sign \
registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}
- name: Generate SBOM
run: |
syft registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }} \
-o cyclonedx-json=sbom.cdx.json
- name: Attach SBOM attestation
run: |
cosign attest \
--predicate sbom.cdx.json \
--type cyclonedx \
registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}
- name: Generate SLSA provenance
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
with:
image: registry.example.com/myorg/order-service
digest: ${{ steps.build.outputs.digest }}
# Verify image is signed before deploying
cosign verify \
--certificate-identity-regexp "https://github.com/myorg/myrepo" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
registry.example.com/myorg/order-service@sha256:<digest>
# Kyverno policy: enforce signed images in production
# (see opa-policies skill for full Kyverno policy)
# Pin base image to digest — not just tag
FROM python:3.12-slim@sha256:abc123... # ✅
FROM python:3.12-slim # ❌ tag can be replaced
# Verify base image digest in CI
crane digest python:3.12-slim
# Python: generate requirements with hashes (pip-compile)
pip-compile --generate-hashes requirements.in -o requirements.txt
# Install with hash verification
pip install -r requirements.txt --require-hashes
# Node: lock file with integrity hashes (automatic in npm/yarn)
npm ci # uses package-lock.json with sha512 integrity hashes
# Scan SBOM for vulnerabilities (without re-pulling image)
grype sbom:sbom.cdx.json --fail-on high
# List all packages in SBOM
cat sbom.cdx.json | jq '.components[] | {name: .name, version: .version, purl: .purl}'
# Check for GPL licenses in SBOM
cat sbom.cdx.json | jq '.components[] | select(.licenses[]?.license.id | startswith("GPL"))'