tenet-supply-chain-licenselisted

# Tenet Supply Chain & License Audits whether build inputs are traceable, pinned, licensed intentionally, and resistant to common supply-chain attacks. ## Language Support Matrix ```yaml support: native: [typescript, javascript, python, go, rust, java] heuristic: [ruby, php, csharp, swift, kotlin] config-only: [yaml, json, dockerfile] ``` ## Toolchain Inputs Consume these files when present: - `.healthcheck/toolchain/osv_scanner.json`, `trivy.json`, `npm_audit.json`, `pip_audit.json` - `.healthcheck/toolchain/syft.json` for SBOM/package inventory - `.healthcheck/toolchain/grype.json` for vulnerability data ## Procedure ### Step 0: Detect Ecosystems Check for manifests and lockfiles: `package.json`, lockfiles, `pyproject.toml`, `requirements.txt`, `go.mod`, `Cargo.toml`, `pom.xml`, `build.gradle`, Dockerfiles, and `.github/workflows`. If no dependency manifests, container files, or CI workflow files exist, mark `applicable: false`. ### Step 1: Lockfile and Reproducibility Flag missing or conflicting lockfiles for application projects. Severity: - `critical`: app has manifest but no lockfile and CI/build installs dependencies - `major`: multiple lockfiles for one ecosystem create ambiguous install behavior - `minor`: lockfile exists but CI does not use frozen install mode ### Step 2: Provenance and Pinning Check: - GitHub Actions pinned to full commit SHA rather than mutable tags - Docker base images pinned by digest - Package manager config for private scop