Coding & Refactoringlow risk
supply-chain-audit
Software supply chain audit — dependencies (CVEs, maintenance, licenses, transitive risk), build/CI integrity (SHA-pinned actions, lockfile, CI-only release), artifact integrity (checksums, signing, SBOM). Triggers on: "/supply-chain-audit", "supply-chain-audit", "dependency audit". Run before adding a dep, before a release, or for periodic review. Reports; does not change deps unless asked.
HetCreep/CoalMine·skills/supply-chain-audit/SKILL.md
38/ 100おすすめ度
この Skill を導入
coding agent を選び、プロジェクト用または個人用コマンドをコピーします。
プロジェクトに導入.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -y個人環境に導入~/.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -g -yプロジェクトに導入.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -y個人環境に導入~/.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -g -yプロジェクトに導入.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -y個人環境に導入~/.copilot/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -g -yプロジェクトに導入.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -y個人環境に導入~/.cursor/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -g -yプロジェクトに導入.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -y個人環境に導入~/.gemini/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -g -yNative Gemini CLI
gemini skills install https://github.com/HetCreep/CoalMine.git --scope workspace --path skills/supply-chain-audit⚠ インストールには open-source skills CLI を使用します。実行前にソースと権限を確認してください。
Skill の指示
GitHub で元ファイルを表示 ↗# Supply-Chain Audit <!-- SHARED:LANGUAGE_HEADER --> Audit what the project trusts: deps, build pipeline, shipped artifact. Report; do NOT change deps unless asked. ## 1. Dependencies - **Scope** — honor `.coalmine.json` `packageManifests` if set: scan exactly those manifest/lockfile paths; else infer by inspecting the repo. - **CVEs** — run ecosystem auditor; cross-check every hit in GHSA/OSV/NVD. Cite advisory ID + affected range + fixed version. (Invoke source-grounding — never from memory.) - **Maintenance** — last release, commit recency, bus-factor, archived/deprecated flag. - **License** — flag copyleft inside permissive project, missing/unknown license. - **Transitive** — full tree; name the parent to bump for a transitive fix. - **Behavior** — phone home? install scripts? unexpected egress? ## 2. Build / CI - CI-only release builds? - Actions pinned to commit SHA (not floating tag)? - Lockfile committed + enforced in CI? - Minimal token scope? No `pull_request_target`? ## 3. Artifact - SHA-256 checksums published for every binary? - Signed (Authenticode/GPG)? Gap documented honestly? - SBOM generated? - User can verify before running? ## Tooling Per-ecosystem vuln/license/outdated commands + offline fallback: read `references/tooling.md` when selecting scanners. ## Discipline - Ground every CVE/fixed-version in an advisory. Never from memory. - Don't auto-change deps — report + recommend; user decides (bumps break builds). - State what was NOT scanned. Blocked network scans → lockfile inspection fallback (see `references/tooling.md`), mark live checks N-A. ## Fix mode (choice-gated) After the report, present via `ask_question`: - **Pin safe now** — commit already-present unchanged lockfile, pin CI action to current SHA, add missing checksum step. Each: checkpoint → apply → verify. - **Let me pick** — user-selected fixes only. - **Report only** — change nothing. NEVER auto-fix: dep version bump, lockfile regen (re-resolves entire transitive tree). ## Output `| package | direct/transitive | issue | severity | advisory | fixed-in | action |` Build+artifact checklist · Summary (counts + top fixes) · Not scanned <!-- SHARED:ORCHESTRATION --> <!-- SHARED:ESCALATION_FOOTER -->