Skill2.9k estrellas del repoactualizado yesterday
supply-chain-security
This skill enforces supply chain security practices for a package manager's dependency resolution and credential handling. Activate it when reviewing changes to dependency resolvers, lockfile schemas, authentication modules, file deletion logic, credential handling in CI workflows, or any code that fetches, verifies, or executes remote content. It ensures path construction uses dedicated security utilities, deletions follow multi-gate cleanup procedures, credentials route through proper authentication resolvers, and all remote content verification fails closed rather than proceeding unsafely.
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/microsoft/apm /tmp/supply-chain-security && cp -r /tmp/supply-chain-security/.apm/skills/supply-chain-security ~/.claude/skills/supply-chain-securityDespués abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
# Supply Chain Security Skill [Supply chain security expert persona](../../agents/supply-chain-security-expert.agent.md) ## When to activate - Changes under `src/apm_cli/deps/` (resolver, lockfile, downloaders) - Changes to `src/apm_cli/core/auth.py` or `token_manager.py` - Changes to `src/apm_cli/integration/cleanup.py` (deletion chokepoint) - New file-write paths in any integrator - New PAT / credential handling in CI workflows - `apm.lock` schema changes - Any code that fetches, verifies, or executes content from a remote source ## Key rules - All path construction routes through `src/apm_cli/utils/path_security.py` (no ad-hoc `".." in x`). - All deletions of deployed files route through `integration/cleanup.py:remove_stale_deployed_files()` (3 safety gates). - All credential reads route through `AuthResolver` -- never raw `os.getenv` for token vars. - Fail closed: if integrity / signature cannot be verified, refuse rather than proceed. - Token values must never appear in user-facing strings.