Coding & Refactoringlow risk
supply-chain-audit
Software supply chain audit — dependencies (CVEs, maintenance, licenses, transitive risk), build/CI integrity (SHA-pinned actions, lockfile, CI-only release), artifact integrity (checksums, signing, SBOM). Triggers on: "/supply-chain-audit", "supply-chain-audit", "dependency audit". Run before adding a dep, before a release, or for periodic review. Reports; does not change deps unless asked.
HetCreep/CoalMine·skills/supply-chain-audit/SKILL.md
38/ 100推薦值
匯入這個 Skill
選擇你的 coding agent,複製專案級或個人級安裝指令。
匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -y匯入個人環境~/.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a codex -g -y匯入目前專案.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -y匯入個人環境~/.claude/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a claude-code -g -y匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -y匯入個人環境~/.copilot/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a github-copilot -g -y匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -y匯入個人環境~/.cursor/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a cursor -g -y匯入目前專案.agents/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -y匯入個人環境~/.gemini/skills/supply-chain-audit
npx skills add https://github.com/HetCreep/CoalMine/tree/3e46a56a54f4eec2f8eae4c53d5efca7d5c3ed80/skills/supply-chain-audit -a gemini-cli -g -yNative Gemini CLI
gemini skills install https://github.com/HetCreep/CoalMine.git --scope workspace --path skills/supply-chain-audit⚠ 安裝指令使用開源 skills CLI。執行前請檢查來源、腳本與權限。
Skill 指令
在 GitHub 查看原始檔案 ↗# Supply-Chain Audit <!-- SHARED:LANGUAGE_HEADER --> Audit what the project trusts: deps, build pipeline, shipped artifact. Report; do NOT change deps unless asked. ## 1. Dependencies - **Scope** — honor `.coalmine.json` `packageManifests` if set: scan exactly those manifest/lockfile paths; else infer by inspecting the repo. - **CVEs** — run ecosystem auditor; cross-check every hit in GHSA/OSV/NVD. Cite advisory ID + affected range + fixed version. (Invoke source-grounding — never from memory.) - **Maintenance** — last release, commit recency, bus-factor, archived/deprecated flag. - **License** — flag copyleft inside permissive project, missing/unknown license. - **Transitive** — full tree; name the parent to bump for a transitive fix. - **Behavior** — phone home? install scripts? unexpected egress? ## 2. Build / CI - CI-only release builds? - Actions pinned to commit SHA (not floating tag)? - Lockfile committed + enforced in CI? - Minimal token scope? No `pull_request_target`? ## 3. Artifact - SHA-256 checksums published for every binary? - Signed (Authenticode/GPG)? Gap documented honestly? - SBOM generated? - User can verify before running? ## Tooling Per-ecosystem vuln/license/outdated commands + offline fallback: read `references/tooling.md` when selecting scanners. ## Discipline - Ground every CVE/fixed-version in an advisory. Never from memory. - Don't auto-change deps — report + recommend; user decides (bumps break builds). - State what was NOT scanned. Blocked network scans → lockfile inspection fallback (see `references/tooling.md`), mark live checks N-A. ## Fix mode (choice-gated) After the report, present via `ask_question`: - **Pin safe now** — commit already-present unchanged lockfile, pin CI action to current SHA, add missing checksum step. Each: checkpoint → apply → verify. - **Let me pick** — user-selected fixes only. - **Report only** — change nothing. NEVER auto-fix: dep version bump, lockfile regen (re-resolves entire transitive tree). ## Output `| package | direct/transitive | issue | severity | advisory | fixed-in | action |` Build+artifact checklist · Summary (counts + top fixes) · Not scanned <!-- SHARED:ORCHESTRATION --> <!-- SHARED:ESCALATION_FOOTER -->