---
name: security:supply-check
description: Re-audit installed dependencies — check lockfiles against blocklists, OSV.dev CVEs, and typosquat detection
allowed-tools: Read, Bash
model: sonnet
---

# /security supply-check [path]

Re-audit installed dependencies in lockfiles (package-lock.json, yarn.lock, requirements.txt, Pipfile.lock) against blocklists, OSV.dev CVE database, and typosquat detection.

Unlike `deep-scan` (which includes dep-auditor among 9 scanners), this command runs ONLY the supply-chain-recheck scanner for a focused dependency audit.

## Step 1: Setup

- `$ARGUMENTS` empty → target = cwd. Otherwise target = first argument.
- Plugin root = parent of this `commands/` folder.

## Step 2: Run Scanner

```bash
node <plugin-root>/scanners/supply-chain-recheck-cli.mjs "<target>"
```

**Important:** This scanner calls OSV.dev API. If offline, blocklist and typosquat checks still run but CVE detection is skipped (an INFO finding notes this).

The scanner outputs JSON to stdout. Parse it.

## Step 3: Present Results

Show a summary banner:

```
## Supply Chain Re-check: [target]
Status: [ok|skipped|error] | Findings: XC XH XM XL XI | Files: N lockfile(s)
```

If `osv_offline: true` in result, note: "OSV.dev was unreachable — CVE check was skipped. Blocklist and typosquat checks completed."

## Step 4: Detail Findings

For each finding, show:
- Severity badge and title
- File (lockfile) and evidence
- Recommendation

Group by severity (CRITICAL first). If zero findings: "No supply chain issues detected in N lockfile(s)."