nist0/copilot_dev/.github/skills/engineering/devops-cloud/supply-chain
copilot_dev/.github/skills/engineering/devops-cloud/supply-chain/SKILL.md
# Supply Chain Basics (CI/CD Security) ## When to use - You want minimal, high-impact CI/CD security practices - You publish artifacts/images/packages and need provenance basics ## Workflow 1) Dependency hygiene - pin dependencies where possible - avoid untrusted scripts; review new build tooling 2) GitHub Actions hardening - least-privilege permissions - pin action versions (commit SHA for high assurance) - restrict `GITHUB_TOKEN` permissions 3) Secrets handling - never ec
tools
Updated Apr 8, 2026
$ install --global
skillsauthnpx skillsauth add nist0/copilotdev-tmp-consumer copilot_dev/.github/skills/engineering/devops-cloud/supply-chainInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:05 AM41.3s1 file scanned
SKILL.md
Supply Chain Basics (CI/CD Security)
When to use
- You want minimal, high-impact CI/CD security practices
- You publish artifacts/images/packages and need provenance basics
Workflow
- Dependency hygiene
- pin dependencies where possible
- avoid untrusted scripts; review new build tooling
- GitHub Actions hardening
- least-privilege permissions
- pin action versions (commit SHA for high assurance)
- restrict
GITHUB_TOKENpermissions
- Secrets handling
- never echo secrets
- separate environments; short-lived credentials if possible
- Artifact integrity (pragmatic baseline)
- define what is published and from where
- keep build steps deterministic
- Verification
- validate checks before release
- keep an auditable release trail (tags, changelog, build logs)
Outputs
- A minimal supply-chain checklist for PRs and releases
- Recommended guardrails for GitHub Actions
- “Next step” suggestions if you want stronger guarantees later
Related Skills
nist0/copilot_dev/.github/skills/research/tech-watch/weekly-digest
tools
VerifiedTrustedCommunity
# Tech Watch (Weekly Digest) ## When to use - You want a weekly digest on selected topics (dotnet, k8s/aks, observability, security, LLM tooling). ## Workflow 1) Define topics and priority order. 2) Collect primary sources (release notes, official docs, papers). 3) Summarize: what changed + why it matters. 4) Propose 1–3 experiments to try next week. ## Outputs - Weekly digest (Markdown) - Experiments list (1–3) with expected payoff - Source list (primary preferred)
SKILL.mdUpdated Apr 8, 2026
nist0/copilot_dev/.github/skills/research/brainstorming/innovation-sprint
development
VerifiedTrustedCommunity
# Innovation Sprint ## When to use - You need new ideas or alternative designs. - You want a short, structured ideation session. ## Workflow 1) Clarify constraints and success criteria. 2) Generate 8–12 ideas quickly (no filtering). 3) Cluster similar ideas and pick top 3. 4) For top 3: define value, feasibility, risks, and a 1–2h spike plan. ## Outputs - Idea list - Top 3 shortlist + tradeoffs - Spike plan for each shortlisted idea
SKILL.mdUpdated Apr 8, 2026
nist0/copilot_dev/.github/skills/engineering/tooling/vscode
tools
VerifiedTrustedCommunity
# VS Code (Copilot Dev Framework Usage) ## When to use - You need to ensure Copilot Dev Framework is loaded correctly in VS Code. - You want best practices for working with prompts, agents, and skills. ## Workflow 1) Bootstrap integration - run `copilot_dev/bootstrap/bootstrap.ps1` or `.sh` 2) Reload - Reload window after bootstrap 3) Discoverability - use `/route` to select agent/prompt/skill - verify prompts appear in the slash command list 4) Multi-root workspaces - ensure
SKILL.mdUpdated Apr 8, 2026
nist0/copilot_dev/.github/skills/engineering/tooling/postman
tools
VerifiedTrustedCommunity
# Postman (API Collections) ## When to use - You want repeatable API request collections with environments. - You want to validate API contract behavior manually or in CI. ## Workflow 1) Organize collections by domain 2) Use environments for base URLs and auth tokens 3) Add tests - status code assertions, schema checks where possible 4) Documentation - include examples and descriptions 5) Version control - export collections; keep in repo if required ## Outputs - Collection struct
SKILL.mdUpdated Apr 8, 2026