← ClaudeAtlas

github-supply-chainlisted

Audit GitHub repository supply chain security including GitHub Actions workflow hardening, third-party action pinning, dependency review, SBOM generation, and OIDC-based cloud authentication. Use this skill whenever the user asks about GitHub Actions security, workflow permissions, action pinning, Dependabot, Renovate, supply chain attacks, dependency confusion, typosquatting, SBOM (CycloneDX/SPDX), OIDC federation with AWS/GCP/Azure, or any concern about external code entering their CI/CD pipeline. Trigger on phrases like "audit my GitHub Actions", "are my workflows safe", "supply chain risk", "should I pin actions", "OIDC for cloud", "SBOM generation", "dependency review", and similar. Use this even if the user only mentions one sub-topic — coverage is broader than the trigger.
hlsitechio/claude-skills-security · ★ 1 · AI & Automation · score 67
Install: claude install-skill hlsitechio/claude-skills-security
# GitHub Supply Chain Audit Audit the external code and identity surface that GitHub Actions exposes: third-party actions, dependencies, build outputs, and the credentials workflows use to reach cloud providers. This is a defensive (find & fix) skill — find weaknesses and produce a remediation report. ## When this skill applies - Reviewing `.github/workflows/*.yml` for hardening gaps - Evaluating dependency hygiene (Dependabot config, Renovate, lockfiles, audit policies) - Checking SBOM presence and quality - Auditing how workflows authenticate to AWS/GCP/Azure (long-lived keys vs OIDC) - Triage after a public Actions compromise (e.g., tj-actions/changed-files class of incidents) Use a different skill for: repository governance like branch protection (see `github-repo-hardening`), application-code vulnerabilities (see `saas-code-security-review`). ## Workflow Follow the 5-phase audit workflow defined in `../_shared/audit-workflow.md`. Skill-specific guidance below. ### Phase 1: Scope confirmation Ask the user (or confirm from context): - Single repo or org-wide? - Public, internal, or private repo? - Has GitHub Advanced Security (GHAS) license? (affects which features are available) - Are workflows reaching cloud providers? Which? ### Phase 2: Inventory Collect: ```bash # List all workflow files find .github/workflows -name '*.yml' -o -name '*.yaml' # Extract every external action reference grep -rEho 'uses:\s*[^@\s]+@[^\s]+' .github/workflows/ | sort -u # List de