devsecops-supply-chain-auditlisted

Audit software supply chain across every ecosystem (npm, pip, Go, Ruby, Cargo, Maven, Docker, Terraform) — pinning, vulnerabilities, secrets, SBOM, signing, branch protection, CODEOWNERS. One sub-agent per ecosystem. Three modes.
anthril/official-claude-plugins · ★ 3 · AI & Automation · score 82

Install: claude install-skill anthril/official-claude-plugins

# DevSecOps Supply Chain Audit ultrathink  > **Output path directive (canonical — overrides in-body references).** > All file outputs from this skill MUST be written under `.anthril/audits/devsecops-supply-chain-audit/`. > Run `mkdir -p .anthril/audits/devsecops-supply-chain-audit` before the first `Write` call. > Primary artefact: `.anthril/audits/devsecops-supply-chain-audit/<artefact>`. > Do NOT write to the project root or to bare filenames at cwd. > Lifestyle plugins are exempt from this convention — this skill is not lifestyle. ## When to use Run this skill when the user mentions: - Supply-chain audit, DevSecOps - SLSA, SBOM, Dependabot, Renovate - Dependency security, secrets scanning, SCA - Branch protection review Detects every ecosystem in the repo (npm, pnpm, yarn, pip, Poetry, Go modules, Cargo, Bundler, Maven, Gradle, Composer, Docker images, Terraform providers) and spawns one sub-agent per ecosystem. Covers dependency pinning (lockfile committed, exact-vs-range, integrity hashes), vulnerability surface (`npm audit`, `pip-audit`, `govulncheck`, `bundler-audit`, `trivy`, `grype`), secret scanning (gitleaks-style patterns against HEAD and history), SBOM generation (Syft, CycloneDX), provenance and signing (SLSA level, cosign, sigstore, `npm --provenance`), branch protection, CODEOWNERS coverage, and Dependabot/Renovate configuration. ## Before You Start 1. **Determine operating mode.** `--live` runs vulnerability scanners av