llm-security/commands/supply-check.md
Kjell Tore Guttormsen f153f969a0 feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command
Add /ultraresearch-local for structured research combining local codebase
analysis with external knowledge via parallel agent swarms. Produces research
briefs with triangulation, confidence ratings, and source quality assessment.

New command: /ultraresearch-local with modes --quick, --local, --external, --fg.
New agents: research-orchestrator (opus), docs-researcher, community-researcher,
security-researcher, contrarian-researcher, gemini-bridge (all sonnet).
New template: research-brief-template.md.

Integration: --research flag in /ultraplan-local accepts pre-built research
briefs (up to 3), enriches the interview and exploration phases. Planning
orchestrator cross-references brief findings during synthesis.

Design principle: Context Engineering — right information to right agent at
right time. Research briefs are structured artifacts in the pipeline:
ultraresearch → brief → ultraplan --research → plan → ultraexecute.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 08:58:35 +02:00

1.5 KiB

name description allowed-tools model
security:supply-check Re-audit installed dependencies — check lockfiles against blocklists, OSV.dev CVEs, and typosquat detection Read, Bash sonnet

/security supply-check [path]

Re-audit installed dependencies in lockfiles (package-lock.json, yarn.lock, requirements.txt, Pipfile.lock) against blocklists, OSV.dev CVE database, and typosquat detection.

Unlike deep-scan (which includes dep-auditor among 9 scanners), this command runs ONLY the supply-chain-recheck scanner for a focused dependency audit.

Step 1: Setup

  • $ARGUMENTS empty → target = cwd. Otherwise target = first argument.
  • Plugin root = parent of this commands/ folder.

Step 2: Run Scanner

node <plugin-root>/scanners/supply-chain-recheck-cli.mjs "<target>"

Important: This scanner calls OSV.dev API. If offline, blocklist and typosquat checks still run but CVE detection is skipped (an INFO finding notes this).

The scanner outputs JSON to stdout. Parse it.

Step 3: Present Results

Show a summary banner:

## Supply Chain Re-check: [target]
Status: [ok|skipped|error] | Findings: XC XH XM XL XI | Files: N lockfile(s)

If osv_offline: true in result, note: "OSV.dev was unreachable — CVE check was skipped. Blocklist and typosquat checks completed."

Step 4: Detail Findings

For each finding, show:

  • Severity badge and title
  • File (lockfile) and evidence
  • Recommendation

Group by severity (CRITICAL first). If zero findings: "No supply chain issues detected in N lockfile(s)."