Skill2.9k repo starsupdated yesterday

supply-chain-security

This skill enforces supply chain security practices for a package manager's dependency resolution and credential handling. Activate it when reviewing changes to dependency resolvers, lockfile schemas, authentication modules, file deletion logic, credential handling in CI workflows, or any code that fetches, verifies, or executes remote content. It ensures path construction uses dedicated security utilities, deletions follow multi-gate cleanup procedures, credentials route through proper authentication resolvers, and all remote content verification fails closed rather than proceeding unsafely.

View source Repository: apm

Install in Claude Code

Copy

git clone --depth 1 https://github.com/microsoft/apm /tmp/supply-chain-security && cp -r /tmp/supply-chain-security/.apm/skills/supply-chain-security ~/.claude/skills/supply-chain-security

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

# Supply Chain Security Skill

[Supply chain security expert persona](../../agents/supply-chain-security-expert.agent.md)

## When to activate

- Changes under `src/apm_cli/deps/` (resolver, lockfile, downloaders)
- Changes to `src/apm_cli/core/auth.py` or `token_manager.py`
- Changes to `src/apm_cli/integration/cleanup.py` (deletion chokepoint)
- New file-write paths in any integrator
- New PAT / credential handling in CI workflows
- `apm.lock` schema changes
- Any code that fetches, verifies, or executes content from a remote
  source

## Key rules

- All path construction routes through
  `src/apm_cli/utils/path_security.py` (no ad-hoc `".." in x`).
- All deletions of deployed files route through
  `integration/cleanup.py:remove_stale_deployed_files()` (3 safety
  gates).
- All credential reads route through `AuthResolver` -- never raw
  `os.getenv` for token vars.
- Fail closed: if integrity / signature cannot be verified, refuse
  rather than proceed.
- Token values must never appear in user-facing strings.