supply-chainlisted

# Supply Chain Defense ## When to use This skill covers both producer and consumer sides of the software supply chain: what you build, how you prove that you built it, how you sign it, and how you verify what you consume. It complements `cve-triage` (triage of what is in your SBOM) and is invoked by `cicd-hardening` for the build-provenance side. Triggers on: - A question like "generate an SBOM", "set up SLSA", "how do I sign our artifacts", "are we vulnerable to dependency confusion", "cosign verify". - A compliance question from `iso27001`, `nis2`, `dora`, or `soc2` about provenance or SBOM delivery. - A build pipeline that publishes artifacts (npm package, PyPI wheel, Docker image, Helm chart, GitHub release binary) and lacks provenance. - An incident where a compromised dependency or typosquat has been found (XZ-style, event-stream-style). - A government customer demanding SSDF attestation or SBOM delivery (US Executive Order 14028, EU Cyber Resilience Act). ### When NOT (handoff) - Per-CVE triage from the SBOM → `cve-triage`. This skill produces the SBOM; that one weighs it. - Secrets in artifacts or in build output → `secrets-scanner`. - CI-pipeline safety itself (pinned actions, OIDC, runner isolation) → `cicd-hardening`. Overlap on SLSA provenance is intentionally cross-referenced there. - Container base-image hardening → `container-hardening`. Image signing is here (sigstore/cosign), image content is there. - Code-pattern questions about dep hygiene (pinning, l