Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sawrus/sbom-supply-chain

Name: sbom-supply-chain
Author: sawrus

areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md

npx skillsauth add sawrus/agent-guides sbom-supply-chain

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill: SBOM & Supply Chain Security

Expertise: Syft/Trivy SBOM generation, cosign SBOM attestation, SLSA provenance, dependency pinning, OCI attestations.

When to load

When generating SBOMs for images, attaching attestations to OCI registry, verifying supply chain integrity, or achieving SLSA compliance.

SBOM Generation (Syft)

# Generate CycloneDX SBOM from image (OCI)
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o cyclonedx-json=sbom.cdx.json

# Generate SPDX SBOM from image
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o spdx-json=sbom.spdx.json

# Generate from local directory (during build)
syft dir:. -o cyclonedx-json=sbom.cdx.json

# Generate from Dockerfile build context (before push)
syft packages docker:myimage:latest -o cyclonedx-json=sbom.cdx.json

SBOM Attestation via cosign

# Sign image and attach SBOM as OCI attestation
# Step 1: Build and push image
docker buildx build --push \
  -t registry.example.com/myorg/order-service:v1.2.3 .

# Step 2: Get digest
DIGEST=$(crane digest registry.example.com/myorg/order-service:v1.2.3)

# Step 3: Generate SBOM
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o cyclonedx-json=sbom.cdx.json

# Step 4: Attach SBOM as attestation (Sigstore keyless)
cosign attest \
  --predicate sbom.cdx.json \
  --type cyclonedx \
  registry.example.com/myorg/order-service@${DIGEST}

# Step 5: Verify attestation exists
cosign verify-attestation \
  --type cyclonedx \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} \
  | jq '.payload | @base64d | fromjson | .predicate.metadata'

GitHub Actions: Full Supply Chain Pipeline

# .github/workflows/supply-chain.yml
jobs:
  build-sign-attest:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write         # for cosign keyless signing

    steps:
      - uses: actions/checkout@v4

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Install syft
        uses: anchore/sbom-action/download-syft@v0

      - name: Build and push
        id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: registry.example.com/myorg/order-service:${{ github.sha }}

      - name: Sign image (keyless via OIDC)
        run: |
          cosign sign \
            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}

      - name: Generate SBOM
        run: |
          syft registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }} \
            -o cyclonedx-json=sbom.cdx.json

      - name: Attach SBOM attestation
        run: |
          cosign attest \
            --predicate sbom.cdx.json \
            --type cyclonedx \
            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}

      - name: Generate SLSA provenance
        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
        with:
          image: registry.example.com/myorg/order-service
          digest: ${{ steps.build.outputs.digest }}

Verify Before Deploy (admission check)

# Verify image is signed before deploying
cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/myrepo" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@sha256:<digest>

# Kyverno policy: enforce signed images in production
# (see opa-policies skill for full Kyverno policy)

Dependency Pinning (supply chain hardening)

# Pin base image to digest — not just tag
FROM python:3.12-slim@sha256:abc123...   # ✅
FROM python:3.12-slim                    # ❌ tag can be replaced

# Verify base image digest in CI
crane digest python:3.12-slim

# Python: generate requirements with hashes (pip-compile)
pip-compile --generate-hashes requirements.in -o requirements.txt

# Install with hash verification
pip install -r requirements.txt --require-hashes

# Node: lock file with integrity hashes (automatic in npm/yarn)
npm ci   # uses package-lock.json with sha512 integrity hashes

SBOM Analysis

# Scan SBOM for vulnerabilities (without re-pulling image)
grype sbom:sbom.cdx.json --fail-on high

# List all packages in SBOM
cat sbom.cdx.json | jq '.components[] | {name: .name, version: .version, purl: .purl}'

# Check for GPL licenses in SBOM
cat sbom.cdx.json | jq '.components[] | select(.licenses[]?.license.id | startswith("GPL"))'

sawrus/sbom-supply-chain

areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md

Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.

12 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sawrus/agent-guides sbom-supply-chain

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 4:19 AM34.5s1 file scanned

SKILL.md

name:: sbom-supply-chain
type:: skill
description:: Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.
allowed-tools:: Read, Write, Edit, Bash

Skill: SBOM & Supply Chain Security

Expertise: Syft/Trivy SBOM generation, cosign SBOM attestation, SLSA provenance, dependency pinning, OCI attestations.

When to load

When generating SBOMs for images, attaching attestations to OCI registry, verifying supply chain integrity, or achieving SLSA compliance.

SBOM Generation (Syft)

# Generate CycloneDX SBOM from image (OCI)
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o cyclonedx-json=sbom.cdx.json

# Generate SPDX SBOM from image
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o spdx-json=sbom.spdx.json

# Generate from local directory (during build)
syft dir:. -o cyclonedx-json=sbom.cdx.json

# Generate from Dockerfile build context (before push)
syft packages docker:myimage:latest -o cyclonedx-json=sbom.cdx.json

SBOM Attestation via cosign

# Sign image and attach SBOM as OCI attestation
# Step 1: Build and push image
docker buildx build --push \
  -t registry.example.com/myorg/order-service:v1.2.3 .

# Step 2: Get digest
DIGEST=$(crane digest registry.example.com/myorg/order-service:v1.2.3)

# Step 3: Generate SBOM
syft registry.example.com/myorg/order-service:v1.2.3 \
  -o cyclonedx-json=sbom.cdx.json

# Step 4: Attach SBOM as attestation (Sigstore keyless)
cosign attest \
  --predicate sbom.cdx.json \
  --type cyclonedx \
  registry.example.com/myorg/order-service@${DIGEST}

# Step 5: Verify attestation exists
cosign verify-attestation \
  --type cyclonedx \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} \
  | jq '.payload | @base64d | fromjson | .predicate.metadata'

GitHub Actions: Full Supply Chain Pipeline

# .github/workflows/supply-chain.yml
jobs:
  build-sign-attest:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write         # for cosign keyless signing

    steps:
      - uses: actions/checkout@v4

      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Install syft
        uses: anchore/sbom-action/download-syft@v0

      - name: Build and push
        id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: registry.example.com/myorg/order-service:${{ github.sha }}

      - name: Sign image (keyless via OIDC)
        run: |
          cosign sign \
            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}

      - name: Generate SBOM
        run: |
          syft registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }} \
            -o cyclonedx-json=sbom.cdx.json

      - name: Attach SBOM attestation
        run: |
          cosign attest \
            --predicate sbom.cdx.json \
            --type cyclonedx \
            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}

      - name: Generate SLSA provenance
        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
        with:
          image: registry.example.com/myorg/order-service
          digest: ${{ steps.build.outputs.digest }}

Verify Before Deploy (admission check)

# Verify image is signed before deploying
cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/myrepo" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@sha256:<digest>

# Kyverno policy: enforce signed images in production
# (see opa-policies skill for full Kyverno policy)

Dependency Pinning (supply chain hardening)

# Pin base image to digest — not just tag
FROM python:3.12-slim@sha256:abc123...   # ✅
FROM python:3.12-slim                    # ❌ tag can be replaced

# Verify base image digest in CI
crane digest python:3.12-slim

# Python: generate requirements with hashes (pip-compile)
pip-compile --generate-hashes requirements.in -o requirements.txt

# Install with hash verification
pip install -r requirements.txt --require-hashes

# Node: lock file with integrity hashes (automatic in npm/yarn)
npm ci   # uses package-lock.json with sha512 integrity hashes

SBOM Analysis

# Scan SBOM for vulnerabilities (without re-pulling image)
grype sbom:sbom.cdx.json --fail-on high

# List all packages in SBOM
cat sbom.cdx.json | jq '.components[] | {name: .name, version: .version, purl: .purl}'

# Check for GPL licenses in SBOM
cat sbom.cdx.json | jq '.components[] | select(.licenses[]?.license.id | startswith("GPL"))'

Related Skills

sawrus/qa_expert

testing

VerifiedTrustedCommunity

QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.

12SKILL.mdUpdated Apr 18, 2026

sawrus/design_expert

development

VerifiedTrustedCommunity

Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

development

VerifiedTrustedCommunity

Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

sawrus/babysit-pr

development

VerifiedTrustedCommunity

Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.

12SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sawrus/agent-guides.git

# Copy into Claude Code skills folder (global)
cp -r agent-guides/areas/devops/devsecops/skills/sbom-supply-chain ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sawrus/agent-guides

12 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT