Does it require external network access?

While some integrity checks benefit from registry lookups (like OSV.dev), it can perform deep local analysis of manifests, lockfiles, and build scripts without external calls.

Can it detect malicious GitHub Actions?

Yes, it scans workflow files for unpinned tags, unauthorized secret access, and suspicious patterns like inline base64 payloads or 'curl | sh' commands.

What ecosystems does this skill support?

It supports major package ecosystems including npm (Node.js), pip (Python), Go modules, Cargo (Rust), RubyGems, Maven, and Gradle.

Where are the forensic findings saved?

All results, including generated SBOMs and integrity reports, are documented in the .aiwg/forensics/ directory for easy review and archival.

What is an SLSA assessment?

It evaluates your build process against Supply-chain Levels for Software Artifacts (SLSA) to measure the security, automation, and provenance of your software artifacts.

Supply Chain Forensics

Name: Supply Chain Forensics
Author: jmagly

byjmagly

•

102

•

Seguridad y Pruebas

Performs deep security audits of software supply chains by analyzing SBOMs, verifying dependency integrity, and inspecting CI/CD pipelines for tampering.

Supply Chain Forensics is a specialized security skill designed to identify compromises before software reaches production. It automatically detects project ecosystems, generates and validates SBOMs (CycloneDX/SPDX), and cross-references dependency hashes against official registries. The skill goes beyond simple scanning by analyzing build scripts for malicious patterns, detecting typosquatting attempts, and assessing projects against SLSA (Supply-chain Levels for Software Artifacts) framework benchmarks to ensure high-integrity delivery pipelines.

Características Principales

01Cross-ecosystem dependency integrity verification for npm, pip, Go, and Cargo

02Automated SBOM generation and validation for multi-language projects

03CI/CD pipeline auditing for malicious scripts, unpinned actions, and privilege escalation

04102 GitHub stars

05Typosquatting and dependency confusion attack detection using Levenshtein distance

06SLSA level assessment and build reproducibility verification

Casos de Uso

01Auditing a project before a major release to ensure no malicious dependencies were introduced

02Generating compliance-ready SBOMs and forensic findings for stakeholder reporting

03Investigating potential CI/CD tampering following a security alert or suspicious workflow change

Características Principales

01Cross-ecosystem dependency integrity verification for npm, pip, Go, and Cargo

02Automated SBOM generation and validation for multi-language projects

03CI/CD pipeline auditing for malicious scripts, unpinned actions, and privilege escalation

04102 GitHub stars

05Typosquatting and dependency confusion attack detection using Levenshtein distance

06SLSA level assessment and build reproducibility verification

Casos de Uso

01Auditing a project before a major release to ensure no malicious dependencies were introduced

02Generating compliance-ready SBOMs and forensic findings for stakeholder reporting

03Investigating potential CI/CD tampering following a security alert or suspicious workflow change