open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/commands/supply-check.md
Kjell Tore Guttormsen 3b034d9266 feat(llm-security): v7.7.0 — HTML-rapport for alle 18 skill-kommandoer 
Hver /security <cmd> som produserer rapport printer nå en klikkbar
file://-lenke til en self-contained HTML-versjon. Levert over fem
sesjoner; sesjon 5 wirer de 14 resterende skill-filene + slipper
v7.7.0 (versjonsbump + docs).

Sesjon-historikk:
- Sesjon 1 (0dc7ff4) — playground katalog list-view + builder-pane med
  copy-knapp på alle 18 rapporter
- Sesjon 2 (86d6ecd) — playground prosjekt-surface opprydding
  (stub-screen + topbar-splitt)
- Sesjon 3 (fa5fb48) — extract 18 inline parsers + 18 inline renderers
  fra playground til canonical ESM-modul scripts/lib/report-renderers.mjs
  (playground beholder bit-identisk inline-kopi siden ESM import ikke
  fungerer fra file://)
- Sesjon 4 (db80854) — ny zero-dep CLI scripts/render-report.mjs
  (stdin/file/stdout-modus, kebab→camel commandId-routing, ~140 KB
  self-contained HTML med 6 inlined DS-stylesheets + lokal .report-table,
  absolutte file://-paths for Ghostty cmd-click). 4 skills wired:
  scan, audit, posture, deep-scan.
- Sesjon 5 (denne) — 14 resterende skills wired: plugin-audit, mcp-audit,
  mcp-inspect, ide-scan, supply-check, dashboard, pre-deploy, diff,
  watch, registry, clean, harden, threat-model, red-team. Hver skill-fil
  har nå en HTML Report-step som instruerer Claude å skrive markdown
  verbatim, kjøre CLI, og appende klikkbar file://-lenke til respons.

Release-arbeid:
- Versjonsbump v7.6.1 → v7.7.0 i 6 plugin-filer + 2 rot-filer
  (package.json, .claude-plugin/plugin.json, README badge, CLAUDE.md
  header + state-seksjon, docs/version-history.md, plugin Recent versions-
  tabell, rot README plugin-entry, rot CLAUDE.md plugin-katalog)
- CHANGELOG [7.7.0] med full historikk fra sesjon 1-5
- docs/version-history.md v7.7.0-seksjon

Verifisert:
- 18/18 commandIds i CLI gir > 138 KB self-contained HTML
- 1819/1820 tester grønne (pre-compact-scan-perf-flake fyrte under last,
  passerer i isolasjon på 1582 ms — pre-eksisterende, defer til v7.7.x)
- 18/18 skill-filer har HTML Report-step
- Ingen kildefil-treff på 7.6.1 utenfor historiske changelog/version-
  history/README releases-tabell

Ingen scanner- eller hook-atferdsendringer — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 13:12:21 +02:00

2.4 KiB
Raw Blame History

name description allowed-tools model
security:supply-check Re-audit installed dependencies — check lockfiles against blocklists, OSV.dev CVEs, and typosquat detection Read, Bash sonnet

/security supply-check [path]

Re-audit installed dependencies in lockfiles (package-lock.json, yarn.lock, requirements.txt, Pipfile.lock) against blocklists, OSV.dev CVE database, and typosquat detection.

Unlike deep-scan (which includes dep-auditor among 9 scanners), this command runs ONLY the supply-chain-recheck scanner for a focused dependency audit.

Step 1: Setup

  • $ARGUMENTS empty → target = cwd. Otherwise target = first argument.
  • Plugin root = parent of this commands/ folder.

Step 2: Run Scanner

node <plugin-root>/scanners/supply-chain-recheck-cli.mjs "<target>"

Important: This scanner calls OSV.dev API. If offline, blocklist and typosquat checks still run but CVE detection is skipped (an INFO finding notes this).

The scanner outputs JSON to stdout. Parse it.

Step 3: Present Results

Show a summary banner:

## Supply Chain Re-check: [target]
Status: [ok|skipped|error] | Findings: XC XH XM XL XI | Files: N lockfile(s)

If osv_offline: true in result, note: "OSV.dev was unreachable — CVE check was skipped. Blocklist and typosquat checks completed."

Step 4: Detail Findings

For each finding, show:

  • Severity badge and title
  • File (lockfile) and evidence
  • Recommendation

Group by severity (CRITICAL first). If zero findings: "No supply chain issues detected in N lockfile(s)."

Step 5: HTML Report

After producing the markdown supply-check report above:

  1. Compute a temp markdown path:

    node -p "require('path').join(require('os').tmpdir(), 'sec-supply-check-' + Date.now() + '.md')"

  2. Use the Write tool to save the entire markdown report you just produced (banner + lockfile coverage + all findings grouped by severity) to that temp path. Verbatim.

  3. Run the renderer:

    node <plugin-root>/scripts/render-report.mjs supply-check --in "<temp-md-path>"

    The CLI writes reports/supply-check-<YYYYMMDD-HHmmss>.html relative to CWD and prints file:///abs/path.html on stdout.

  4. Append to your response (markdown link, no bare URL):

    HTML-rapport: Åpne i nettleser

If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.