47 lines
1.5 KiB
Markdown
47 lines
1.5 KiB
Markdown
---
|
|
name: security:supply-check
|
|
description: Re-audit installed dependencies — check lockfiles against blocklists, OSV.dev CVEs, and typosquat detection
|
|
allowed-tools: Read, Bash
|
|
model: sonnet
|
|
---
|
|
|
|
# /security supply-check [path]
|
|
|
|
Re-audit installed dependencies in lockfiles (package-lock.json, yarn.lock, requirements.txt, Pipfile.lock) against blocklists, OSV.dev CVE database, and typosquat detection.
|
|
|
|
Unlike `deep-scan` (which includes dep-auditor among 9 scanners), this command runs ONLY the supply-chain-recheck scanner for a focused dependency audit.
|
|
|
|
## Step 1: Setup
|
|
|
|
- `$ARGUMENTS` empty → target = cwd. Otherwise target = first argument.
|
|
- Plugin root = parent of this `commands/` folder.
|
|
|
|
## Step 2: Run Scanner
|
|
|
|
```bash
|
|
node <plugin-root>/scanners/supply-chain-recheck-cli.mjs "<target>"
|
|
```
|
|
|
|
**Important:** This scanner calls OSV.dev API. If offline, blocklist and typosquat checks still run but CVE detection is skipped (an INFO finding notes this).
|
|
|
|
The scanner outputs JSON to stdout. Parse it.
|
|
|
|
## Step 3: Present Results
|
|
|
|
Show a summary banner:
|
|
|
|
```
|
|
## Supply Chain Re-check: [target]
|
|
Status: [ok|skipped|error] | Findings: XC XH XM XL XI | Files: N lockfile(s)
|
|
```
|
|
|
|
If `osv_offline: true` in result, note: "OSV.dev was unreachable — CVE check was skipped. Blocklist and typosquat checks completed."
|
|
|
|
## Step 4: Detail Findings
|
|
|
|
For each finding, show:
|
|
- Severity badge and title
|
|
- File (lockfile) and evidence
|
|
- Recommendation
|
|
|
|
Group by severity (CRITICAL first). If zero findings: "No supply chain issues detected in N lockfile(s)."
|