supply-chain-analysis

Official

Audit dependencies, generate SBOMs, reduce risk.

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This skill eliminates the manual, error-prone work of tracking project dependencies, identifying vulnerable or unmaintained packages, and generating compliant software bill of materials (SBOMs) for supply chain security audits.

Core Features & Use Cases

  • Dependency Enumeration: Automatically parse common manifests like package.json, requirements.txt, Cargo.lock, and go.sum to inventory all direct and transitive dependencies, flagging unpinned transitive packages as a risk.
  • Risk Correlation: Cross-reference dependencies against OSV advisories, Spectra Assure reports, and OpenSSF Scorecards to identify malicious packages, critical CVEs, and unmaintained libraries with low bus factor.
  • SBOM Generation: Produce signed CycloneDX or SPDX SBOMs for compliance requirements, or lightweight custom SBOMs when no Spectra Assure Portal project exists. Use case: A development team can use this skill to assess the security posture of their application's dependency tree before a production release, prioritizing fixes for the highest-risk packages first.

Quick Start

Use the supply-chain-analysis skill to audit the dependencies of the project in your current working directory and generate a prioritized list of supply chain risks along with a saved SBOM file.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: supply-chain-analysis
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#supply-chain-analysis

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.