Security specialty

Supply Chain Security

Browse every cataloged workflow for supply chain security, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

8 skills

cybersecuritySkill

Analyzing SBOM for Supply Chain Vulnerabilities

Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.

Supply Chain Security
cvecyclonedxdependency-analysisgrype+5
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsAI RMF, 5 mappings
cybersecuritySkill

Detecting Dependency Confusion

Detect and prevent public-over-private name resolution in npm, PyPI, and Maven.

Supply Chain Security
dependency-confusiondevsecopsmavennamespace-hijacking+4
ATT&CK, 4 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Detecting Malicious npm Packages

Triage npm packages for install-script malware, exfiltration, and worming behavior.

Supply Chain Security
exfiltrationguarddoginstall-scriptsmalware-analysis+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Detecting Typosquatting Packages

Flag misspelled, brandjacked, and typosquatted package names across npm, PyPI, and crates.io before installation using edit-distance, keyboard-proximity, and known-target corpus matching with typomania, OSSGadget, and pypi-scan.

Supply Chain Security
dependency-screeningnpmossgadgetpackage-registry+4
ATT&CK, 1 mappingNIST CSF, 1 mapping
cybersecuritySkill

Detecting Typosquatting Packages in npm and PyPI

Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package identification, or software supply chain threat hunting in package registries.

Supply Chain Security
dependency-confusionlevenshteinmalicious-packagesnpm+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Generating and Analyzing SBOMs

Produce and ingest CycloneDX and SPDX SBOMs and correlate them to vulnerability intelligence.

Supply Chain Security
cyclonedxdevsecopsgrypesbom+4
ATT&CK, 1 mappingNIST CSF, 1 mapping
cybersecuritySkill

Implementing Sigstore for Software Signing

Implements Sigstore-based software signing and verification using Cosign keyless signing, Rekor transparency log verification, and Fulcio certificate authority integration to establish cryptographic provenance for container images, binaries, and software artifacts. The practitioner configures OIDC-based identity binding, verifies signing events against the Rekor transparency log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving software supply chain signing, keyless container signing, Sigstore deployment, or artifact provenance verification.

Supply Chain Security
cosignfulciokeyless-signingoidc+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Verifying Build Provenance with SLSA and Sigstore

Verify signed artifacts and SLSA build provenance with Sigstore cosign and slsa-verifier, enforce keyless OIDC identity, and apply SLSA Build levels to harden the software supply chain.

Supply Chain Security
attestationcode-signingcosignkeyless-signing+4
ATT&CK, 1 mappingNIST CSF, 1 mapping