{"id":"17c2e6b1-c3c7-4e45-b5b6-b0f0b7396fdd","shortId":"A8jkte","kind":"skill","title":"ci-cd-supply-chain-audit","tagline":"Use this skill to audit CI/CD workflows, dependencies, build scripts, releases, artifacts, and package publishing. Do not use it for runtime application authz review.","description":"# ci-cd-supply-chain-audit\n\n## English\n\n### Purpose\n\nAudit CI/CD and software supply-chain risk.\n\n### Workflow\n\n1. Inspect workflows and build scripts.\n2. Check token permissions.\n3. Check secrets exposure.\n4. Check third-party actions and dependency changes.\n5. Check release artifacts and publishing.\n6. Output findings and recommended gates.\n\n### Safety rules\n\nDo not run publish, deploy, release, or credentialed commands.\n\n\n### Canonical finding format\n\n```yaml\nid: F-001\nseverity: Critical | High | Medium | Low | Informational\nconfidence: High | Medium | Low\ncategory:\naffected_code:\nroot_cause:\nexploit_path:\npreconditions:\nimpact:\nevidence:\nminimal_fix:\nregression_test:\nauto_fix_suitability: Safe | Needs Human Review | Do Not Auto-Fix\nnotes:\n```\n\n### v0.6 operational guardrails\n\n- Keep the skill within its stated trigger conditions and the user's explicitly provided scope.\n- Preserve project safety boundaries: audit-only by default; Do not execute exploits, Do not auto-merge, Do not upload private source code or secrets, and do not scan unrelated repositories without explicit user request.\n- Ask for explicit human approval before patching high-risk auth, IAM, governance, funds, terminal, or agent-tooling behavior.\n- Report validation performed, files changed, residual risk, and any skipped future-phase work when finished.\n\n## 中文\n\n### 目的\n\n使用这个 skill 进行CI/CD 与供应链审计。它应该帮助审查者把输入边界、风险证据、影响、修复建议和回归测试组织成可复核的安全输出。\n\n### 触发条件\n\n适用于 workflow、dependency、build script、release、artifact、package publishing 和凭据暴露风险。如果请求超出这些边界，先说明范围差异，并选择更合适的 prompt、skill 或人工 review 路径。\n\n### 不适用场景\n\n不要用于普通 runtime authz、智能合约协议审计或法律合同 review。不要把这个 skill 当作自动扫描整个仓库、执行 exploit、上传私有源码或 secrets、自动提交、自动推送或 auto-merge 的许可。\n\n### 操作流程\n\n1. 明确用户给出的目标、允许查看的材料和不能触碰的范围。\n2. 收集必要上下文，但只读取完成任务所需的文件、diff、workflow、fixture 或文档。\n3. 识别 trust boundary、privileged operation、sensitive data、preconditions 和 security impact。\n4. 只报告有 evidence 的 finding；缺少上下文时写 question 或 assumption。\n5. 为 confirmed issue 提出 minimal fix，并规划workflow permission、lockfile、secret scanning、artifact path 和 release dry-run gate。\n6. 完成后报告验证输出、残余风险和需要人工确认的事项。\n\n### 安全规则\n\n默认 audit-only。未经明确授权，不 patch、不 commit、不 push、不创建 PR、不 merge。不要执行 exploit，不要访问生产系统，不要打印 secrets。涉及 IAM、authz 模型、资金、治理、terminal 执行或 agent-tooling 权限的修复必须进入人工 review。\n\n### 输出要求\n\n使用 canonical finding format。每个 finding 都要包含 severity、confidence、category、affected_code、root_cause、exploit_path、preconditions、impact、evidence、minimal_fix、regression_test、auto_fix_suitability 和 notes。","tags":["supply","chain","audit","security","playbook","edmund-xl","agent-skills","chatgpt","codex","devsecops","mcp","smart-contracts"],"capabilities":["skill","source-edmund-xl","skill-ci-cd-supply-chain-audit","topic-agent-skills","topic-audit","topic-chatgpt","topic-codex","topic-devsecops","topic-mcp","topic-security","topic-smart-contracts"],"categories":["ai-security-audit-playbook"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/edmund-xl/ai-security-audit-playbook/ci-cd-supply-chain-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add edmund-xl/ai-security-audit-playbook","source_repo":"https://github.com/edmund-xl/ai-security-audit-playbook","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,485 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:43.603Z","embedding":null,"createdAt":"2026-05-18T13:21:28.942Z","updatedAt":"2026-05-18T19:13:43.603Z","lastSeenAt":"2026-05-18T19:13:43.603Z","tsv":"'-001':100 '/cd':233 '1':48,278 '2':54,281 '3':58,288 '4':62,300 '5':71,309 '6':77,329 'action':67 'affect':112,377 'agent':209,362 'agent-tool':208,361 'applic':28 'approv':196 'artifact':18,74,246,321 'ask':192 'assumpt':308 'audit':6,11,36,39,161,335 'audit-on':160,334 'auth':202 'authz':29,261,355 'auto':125,135,172,274,390 'auto-fix':134 'auto-merg':171,273 'behavior':211 'boundari':159,291 'build':15,52,243 'canon':94,368 'categori':111,376 'caus':115,380 'cd':3,33 'chain':5,35,45 'chang':70,216 'check':55,59,63,72 'ci':2,32 'ci-cd-supply-chain-audit':1,31 'ci/cd':12,40 'code':113,179,378 'command':93 'commit':341 'condit':148 'confid':107,375 'confirm':311 'credenti':92 'critic':102 'data':295 'default':164 'depend':14,69,242 'deploy':89 'diff':284 'dri':326 'dry-run':325 'english':37 'evid':120,302,385 'execut':167 'explicit':153,189,194 'exploit':116,168,268,349,381 'exposur':61 'f':99 'file':215 'find':79,95,304,369,372 'finish':227 'fix':122,126,136,315,387,391 'fixtur':286 'format':96,370 'fund':205 'futur':223 'future-phas':222 'gate':82,328 'govern':204 'guardrail':140 'high':103,108,200 'high-risk':199 'human':130,195 'iam':203,354 'id':98 'impact':119,299,384 'inform':106 'inspect':49 'issu':312 'keep':141 'lockfil':318 'low':105,110 'medium':104,109 'merg':173,275,347 'minim':121,314,386 'need':129 'note':137,394 'oper':139,293 'output':78 'packag':20,247 'parti':66 'patch':198,339 'path':117,322,382 'perform':214 'permiss':57,317 'phase':224 'pr':345 'precondit':118,296,383 'preserv':156 'privat':177 'privileg':292 'project':157 'prompt':253 'provid':154 'publish':21,76,88,248 'purpos':38 'push':343 'question':306 'recommend':81 'regress':123,388 'releas':17,73,90,245,324 'report':212 'repositori':187 'request':191 'residu':217 'review':30,131,256,263,365 'risk':46,201,218 'root':114,379 'rule':84 'run':87,327 'runtim':27,260 'safe':128 'safeti':83,158 'scan':185,320 'scope':155 'script':16,53,244 'secret':60,181,270,319,352 'secur':298 'sensit':294 'sever':101,374 'skill':9,143,231,254,265 'skill-ci-cd-supply-chain-audit' 'skip':221 'softwar':42 'sourc':178 'source-edmund-xl' 'state':146 'suitabl':127,392 'suppli':4,34,44 'supply-chain':43 'termin':206,359 'test':124,389 'third':65 'third-parti':64 'token':56 'tool':210,363 'topic-agent-skills' 'topic-audit' 'topic-chatgpt' 'topic-codex' 'topic-devsecops' 'topic-mcp' 'topic-security' 'topic-smart-contracts' 'trigger':147 'trust':290 'unrel':186 'upload':176 'use':7,24 'user':151,190 'v0.6':138 'valid':213 'within':144 'without':188 'work':225 'workflow':13,47,50,241,285 'yaml':97 '上传私有源码或':269 '不':338,340,342,346 '不创建':344 '不要打印':351 '不要执行':348 '不要把这个':264 '不要用于普通':259 '不要访问生产系统':350 '不适用场景':258 '与供应链审计':234 '中文':228 '为':310 '但只读取完成任务所需的文件':283 '使用':367 '使用这个':230 '修复建议和回归测试组织成可复核的安全输出':238 '允许查看的材料和不能触碰的范围':280 '先说明范围差异':251 '只报告有':301 '和':297,323,393 '和凭据暴露风险':249 '如果请求超出这些边界':250 '它应该帮助审查者把输入边界':235 '安全规则':332 '完成后报告验证输出':330 '并规划workflow':316 '并选择更合适的':252 '当作自动扫描整个仓库':266 '影响':237 '或':307 '或人工':255 '或文档':287 '执行':267 '执行或':360 '提出':313 '操作流程':277 '收集必要上下文':282 '明确用户给出的目标':279 '智能合约协议审计或法律合同':262 '未经明确授权':337 '权限的修复必须进入人工':364 '模型':356 '残余风险和需要人工确认的事项':331 '每个':371 '治理':358 '涉及':353 '的':303 '的许可':276 '目的':229 '缺少上下文时写':305 '自动推送或':272 '自动提交':271 '触发条件':239 '识别':289 '资金':357 '路径':257 '输出要求':366 '进行ci':232 '适用于':240 '都要包含':373 '风险证据':236 '默认':333","prices":[{"id":"20b50efc-f5ee-4d16-9ef5-9d6d50280f80","listingId":"17c2e6b1-c3c7-4e45-b5b6-b0f0b7396fdd","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"edmund-xl","category":"ai-security-audit-playbook","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:28.942Z"}],"sources":[{"listingId":"17c2e6b1-c3c7-4e45-b5b6-b0f0b7396fdd","source":"github","sourceId":"edmund-xl/ai-security-audit-playbook/ci-cd-supply-chain-audit","sourceUrl":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/ci-cd-supply-chain-audit","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:28.942Z","lastSeenAt":"2026-05-18T19:13:43.603Z"}],"details":{"listingId":"17c2e6b1-c3c7-4e45-b5b6-b0f0b7396fdd","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"edmund-xl","slug":"ci-cd-supply-chain-audit","github":{"repo":"edmund-xl/ai-security-audit-playbook","stars":7,"topics":["agent-skills","audit","chatgpt","codex","devsecops","mcp","security","smart-contracts"],"license":"mit","html_url":"https://github.com/edmund-xl/ai-security-audit-playbook","pushed_at":"2026-05-13T02:30:26Z","description":"Local-first, audit-only security review playbook for AI coding agents: prompts, skills, read-only MCP, findings, and regression tests.","skill_md_sha":"a27c311d703322fe5f9b79e75b189daac07463a1","skill_md_path":"skills/ci-cd-supply-chain-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/ci-cd-supply-chain-audit"},"layout":"multi","source":"github","category":"ai-security-audit-playbook","frontmatter":{"name":"ci-cd-supply-chain-audit","description":"Use this skill to audit CI/CD workflows, dependencies, build scripts, releases, artifacts, and package publishing. Do not use it for runtime application authz review."},"skills_sh_url":"https://skills.sh/edmund-xl/ai-security-audit-playbook/ci-cd-supply-chain-audit"},"updatedAt":"2026-05-18T19:13:43.603Z"}}