Coding & Refactoringlow risk

supply-chain-audit

Software supply chain audit — dependencies (CVEs, maintenance, licenses, transitive risk), build/CI integrity (SHA-pinned actions, lockfile, CI-only release), artifact integrity (checksums, signing, SBOM). Triggers on: "/supply-chain-audit", "supply-chain-audit", "dependency audit". Run before adding a dep, before a release, or for periodic review. Reports; does not change deps unless asked.

HetCreep/CoalMine·skills/supply-chain-audit/SKILL.md
38/ 100推薦值

匯入這個 Skill

選擇你的 coding agent,複製專案級或個人級安裝指令。

固定至平台收錄的 commit
匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -y
匯入個人環境~/.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -g -y
手動放置目錄.agents/skills/supply-chain-auditOfficial docs ↗
匯入目前專案.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -y
匯入個人環境~/.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -g -y
手動放置目錄.claude/skills/supply-chain-auditOfficial docs ↗
匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -y
匯入個人環境~/.copilot/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -g -y
手動放置目錄.agents/skills/supply-chain-auditOfficial docs ↗
匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -y
匯入個人環境~/.cursor/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -g -y
手動放置目錄.agents/skills/supply-chain-auditOfficial docs ↗
匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -y
匯入個人環境~/.gemini/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -g -y
Native Gemini CLIgemini skills install https://github.com/HetCreep/CoalMine.git --scope workspace --path skills/supply-chain-audit
手動放置目錄.agents/skills/supply-chain-auditOfficial docs ↗
⚠ 安裝指令使用開源 skills CLI。執行前請檢查來源、腳本與權限。
# Supply-Chain Audit

<!-- SHARED:LANGUAGE_HEADER -->

Audit what the project trusts: deps, build pipeline, shipped artifact. Report; do NOT change deps unless asked.

## 1. Dependencies
- **Scope** — honor `.coalmine.json` `packageManifests` if set: scan exactly those manifest/lockfile paths; else infer by inspecting the repo.
- **CVEs** — run ecosystem auditor; cross-check every hit in GHSA/OSV/NVD. Cite advisory ID + affected range + fixed version. (Invoke source-grounding — never from memory.)
- **Maintenance** — last release, commit recency, bus-factor, archived/deprecated flag.
- **License** — flag copyleft inside permissive project, missing/unknown license.
- **Transitive** — full tree; name the parent to bump for a transitive fix.
- **Behavior** — phone home? install scripts? unexpected egress?

## 2. Build / CI
- CI-only release builds?
- Actions pinned to commit SHA (not floating tag)?
- Lockfile committed + enforced in CI?
- Minimal token scope? No `pull_request_target`?

## 3. Artifact
- SHA-256 checksums published for every binary?
- Signed (Authenticode/GPG)? Gap documented honestly?
- SBOM generated?
- User can verify before running?

## Tooling
Per-ecosystem vuln/license/outdated commands + offline fallback: read `references/tooling.md` when selecting scanners.

## Discipline
- Ground every CVE/fixed-version in an advisory. Never from memory.
- Don't auto-change deps — report + recommend; user decides (bumps break builds).
- State what was NOT scanned. Blocked network scans → lockfile inspection fallback (see `references/tooling.md`), mark live checks N-A.

## Fix mode (choice-gated)
After the report, present via `ask_question`:
- **Pin safe now** — commit already-present unchanged lockfile, pin CI action to current SHA, add missing checksum step. Each: checkpoint → apply → verify.
- **Let me pick** — user-selected fixes only.
- **Report only** — change nothing.

NEVER auto-fix: dep version bump, lockfile regen (re-resolves entire transitive tree).

## Output
`| package | direct/transitive | issue | severity | advisory | fixed-in | action |`
Build+artifact checklist · Summary (counts + top fixes) · Not scanned

<!-- SHARED:ORCHESTRATION -->

<!-- SHARED:ESCALATION_FOOTER -->