Which programming languages are supported?

The skill provides specific guidance and tool configurations for Node.js (npm), Python (pip/Poetry), Go, .NET, Java (Maven), and Rust (Cargo).

Can it help prevent dependency confusion attacks?

Yes, it includes configuration templates for private registries, namespace scoping, and package reservation strategies to ensure internal dependencies aren't hijacked.

How does this help with SLSA compliance?

It provides a clear roadmap and implementation patterns for different SLSA levels, helping you move from basic build documentation to high-integrity, non-falsifiable provenance.

What is an SBOM and why do I need one?

A Software Bill of Materials (SBOM) is a formal record of all components and dependencies in your software. It's critical for security transparency, license compliance, and identifying vulnerable packages quickly.

Does it integrate with my existing CI/CD pipeline?

Absolutely. It provides ready-to-use snippets for GitHub Actions and other CI tools to automate vulnerability scanning and SBOM generation in every build.

Supply Chain Security Expert

Name: Supply Chain Security Expert
Author: melodic-software

bymelodic-software

•

Security & Testing

Secures software development lifecycles by generating SBOMs, implementing SLSA frameworks, and scanning for dependency vulnerabilities.

About

The Supply Chain Security skill provides comprehensive guidance for hardening your software development process against modern threats. It assists developers in generating Software Bill of Materials (SBOM) using formats like CycloneDX and SPDX, implementing SLSA (Supply-chain Levels for Software Artifacts) compliance, and configuring automated vulnerability scanning across multiple ecosystems including Node.js, Python, Go, and .NET. This skill is essential for teams looking to prevent dependency confusion attacks, verify package integrity, and ensure that their CI/CD pipelines meet rigorous security standards.

Key Features

SLSA framework compliance and provenance implementation
Lock file integrity and cryptographic hash verification
Dependency confusion and typosquatting prevention strategies
12 GitHub stars
Automated SBOM generation for major package managers
Cross-platform SCA (Software Composition Analysis) tool configuration

Use Cases

Securing CI/CD pipelines against build system tampering and unauthorized access
Generating and uploading SBOMs during automated release workflows
Auditing third-party dependencies for known security vulnerabilities

About

Key Features

SLSA framework compliance and provenance implementation
Lock file integrity and cryptographic hash verification
Dependency confusion and typosquatting prevention strategies
12 GitHub stars
Automated SBOM generation for major package managers
Cross-platform SCA (Software Composition Analysis) tool configuration

Use Cases

Securing CI/CD pipelines against build system tampering and unauthorized access
Generating and uploading SBOMs during automated release workflows
Auditing third-party dependencies for known security vulnerabilities