Which programming languages are supported?

The skill provides specific guidance and tool configurations for Node.js (npm), Python (pip/Poetry), Go, .NET, Java (Maven), and Rust (Cargo).

Can it help prevent dependency confusion attacks?

Yes, it includes configuration templates for private registries, namespace scoping, and package reservation strategies to ensure internal dependencies aren't hijacked.

How does this help with SLSA compliance?

It provides a clear roadmap and implementation patterns for different SLSA levels, helping you move from basic build documentation to high-integrity, non-falsifiable provenance.

What is an SBOM and why do I need one?

A Software Bill of Materials (SBOM) is a formal record of all components and dependencies in your software. It's critical for security transparency, license compliance, and identifying vulnerable packages quickly.

Does it integrate with my existing CI/CD pipeline?

Absolutely. It provides ready-to-use snippets for GitHub Actions and other CI tools to automate vulnerability scanning and SBOM generation in every build.

Supply Chain Security Expert

Name: Supply Chain Security Expert
Author: melodic-software

bymelodic-software

•

Security & Testing

Secures software development lifecycles by generating SBOMs, implementing SLSA frameworks, and scanning for dependency vulnerabilities.

The Supply Chain Security skill provides comprehensive guidance for hardening your software development process against modern threats. It assists developers in generating Software Bill of Materials (SBOM) using formats like CycloneDX and SPDX, implementing SLSA (Supply-chain Levels for Software Artifacts) compliance, and configuring automated vulnerability scanning across multiple ecosystems including Node.js, Python, Go, and .NET. This skill is essential for teams looking to prevent dependency confusion attacks, verify package integrity, and ensure that their CI/CD pipelines meet rigorous security standards.

Key Features

01SLSA framework compliance and provenance implementation

02Lock file integrity and cryptographic hash verification

03Dependency confusion and typosquatting prevention strategies

0412 GitHub stars

05Automated SBOM generation for major package managers

06Cross-platform SCA (Software Composition Analysis) tool configuration

Use Cases

01Securing CI/CD pipelines against build system tampering and unauthorized access

02Generating and uploading SBOMs during automated release workflows

03Auditing third-party dependencies for known security vulnerabilities

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add melodic-software/claude-code-plugins supply-chain-security

For use in Claude.ai and ChatGPT

Download Skill