supply-chain-prodsec-hardening

Designs software supply chain security controls including SBOM generation, artifact signing, dependency management, and build pipeline integrity per NIST SP 800-161r1 and SLSA.

Audits dependency configs for supply chain risks like unpinned versions, missing lockfiles, postinstall scripts in package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pom.xml. Hardens with pinning, SBOM, signing best practices.

Use this skill when the user asks to "harden supply chain", "secure dependencies", "pin versions", "audit packages", "secure GitHub Actions", "harden containers", "secure IaC", "audit extensions", "secure AI models", "audit pickle files", "scan for secrets", "harden credentials", "rotate tokens", "audit credentials", "sign commits", "commit signing", "signed commits", "gitsign", or needs guidance on software supply chain security, dependency management, credential hygiene, secret scanning, or preventing supply chain attacks. Also trigger when the user mentions tools like Grype, Cosign, Sigstore, Checkov, Hadolint, Zizmor, ModelScan, SafeTensors, Betterleaks, gitsign, or references SLSA.