pentest-supply-chain

What problem does it solve?

Supply chain attacks threaten the integrity of software by tampering with dependencies, CI/CD pipelines, and build artifacts. This Skill provides a structured approach to assess and mitigate these risks across the codebase.

Core Features & Use Cases

• Dependency Audit: identify vulnerable dependencies and unmaintained packages across ecosystems.
• Dependency Confusion testing: check for namespace squatting and misconfigured registries.
• CI/CD Pipeline Security: review workflows for secrets exposure, unpinned actions, and runner escapes.
• Build Artifact Integrity: verify signatures and tamper-resistance of produced artifacts.
• Lockfile Integrity: detect manipulated lockfiles and ensure manifest-to-lockfile consistency.
• Install Script Abuse & Typosquatting: identify install hooks that may exfiltrate data or execute malicious code.
• SBOM Generation: generate software bill of materials and map risk to dependencies.
• Use Case: For large multi-language repos, run cross-language supply chain security audits and consolidate findings.

Quick Start

Run a full supply-chain security assessment on your repository using the described toolset to identify dependencies, CI/CD weaknesses, and artifact integrity issues.