Supply Chain Security Plugin for Claude Code
Protect your projects from supply chain attacks with Claude.
What Is This?
When you build software, you rely on hundreds of third-party packages, container images, GitHub Actions, and more. Attackers increasingly target these dependencies to sneak malicious code into otherwise trustworthy projects. This is called a supply chain attack.
This plugin gives Claude Code the ability to audit your project for supply chain risks and fix them for you, covering seven areas:
| Area | Examples of What Could Go Wrong |
|---|
| Packages (npm, pip, etc.) | A dependency gets hijacked and runs a malicious install script |
| Containers (Docker) | Your base image silently changes to include a backdoor |
| GitHub Actions | A third-party Action gets compromised and steals your secrets |
| Infrastructure as Code (Terraform) | An unverified module provisions resources you didn't ask for |
| AI/ML Models | A pickle file executes arbitrary code when loaded |
| IDE Extensions | A VS Code extension exfiltrates code from your workspace |
| Credentials | A leaked API key or long-lived token enables lateral movement across services |
Based on the Latio Supply Chain Security Checklist
Getting Started
Prerequisites
Installation
Note: This plugin is pending addition to the official Claude Code marketplace. In the meantime, you can install it directly using the self-hosted marketplace below. Once it's in the official marketplace, you'll be able to install it with just /plugin install supply-chain-security.
Add the marketplace and install the plugin from within Claude Code:
/plugin marketplace add latiotech/secure-supply-chain-skills
/plugin install supply-chain-security@secure-supply-chain
After installing, run /reload-plugins to activate the plugin.
Your First Audit
Once installed, open Claude Code in any project and run:
/audit-supply-chain
This scans your repo, figures out which areas apply to you, auto-fixes critical items (pinning versions, resolving SHAs, disabling install scripts), and gives you a report showing what was fixed and what still needs attention.
Two Types of Commands
Action Commands - Fix Issues Directly
These commands take action by default. They scan your repo, make changes (pin versions to exact hashes, resolve commit SHAs, fix configs), and explain each change as it's made. Run these first.
| Command | What It Does |
|---|
/audit-supply-chain | Full audit - detects what's in your repo, checks everything, auto-fixes critical items |
/harden-packages | Pin dependency versions, disable install scripts, secure registry configs |
/harden-containers | Pin base images by digest, enforce non-root, create .dockerignore |
/harden-actions | Pin Actions to SHAs, set permissions, fix script injection, add Dependabot |
/harden-iac | Pin Terraform modules/providers, generate lockfiles, flag provisioners |
/harden-ai-ml | Fix unsafe torch.load/pickle.load, pin model sources, add hash verification |
/harden-ide-extensions | Audit extensions, remove secrets from settings, add devcontainer config |
/harden-credentials | Scan for leaked secrets, set up pre-commit hooks, harden .gitignore, fix credential anti-patterns |
/audit-credentials | Find long-lived tokens, hardcoded secrets, credentials that should be rotated or replaced with OIDC |
/update-pins | Check pinned deps, Actions, images, and modules for newer versions — auto-updates patch/minor, flags majors with changelogs |
/minimize | Remove unused dependencies and convert Dockerfiles to multi-stage builds to reduce attack surface |
Walkthrough Commands - Guided Setup for Advanced Items
These commands are interactive walkthroughs for configurations that require steps outside your codebase (cloud provider setup, Kubernetes config, GitHub settings). Run these separately when you're ready to tackle advanced hardening.
