---
name: pentest-supply-chain
description: Software supply chain security — dependency confusion, CI/CD pipeline attacks, lockfile integrity, and build artifact verification.
---

# Pentest Supply Chain

## Purpose
Supply chain attacks (SolarWinds, Log4Shell, xz-utils) are the fastest-growing threat category. Shannon explicitly excludes "vulnerable third-party libraries." MITRE ATT&CK T1195 has zero coverage in any existing skill.

## Prerequisites

### Authorization Requirements
- **Written authorization** with supply chain testing scope
- **Repository access** for dependency and CI/CD analysis
- **Registry awareness** — confirm which private registries are in use
- **Build system access** for pipeline review (if white-box)

### Environment Setup
- Snyk CLI for dependency vulnerability scanning
- npm audit / pip-audit for ecosystem-specific checks
- Trivy for container and filesystem scanning
- socket.dev for dependency risk analysis

## Core Workflow
1. **Dependency Audit**: Analyze package.json/requirements.txt/go.mod for known vulnerable versions, unmaintained packages, suspicious dependencies.
2. **Dependency Confusion**: Check if internal package names can be claimed on public registries (npm, PyPI). Test namespace squatting.
3. **CI/CD Pipeline Security**: Review GitHub Actions/GitLab CI for injection via PR titles/branch names, secrets in logs, unpinned action versions, runner escape.
4. **Build Artifact Integrity**: Verify signatures on containers/packages, check for unsigned artifacts, test image tag mutability.
5. **Lockfile Integrity**: Detect lockfile injection (manipulated resolved URLs), verify lockfile-to-manifest consistency.
6. **Install Script Abuse**: Identify packages with install hooks executing arbitrary code, test typosquatting candidates.
7. **SBOM Generation**: Generate Software Bill of Materials and map transitive dependency risk with CVE correlation.

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Dependency Scanning | Snyk, npm audit, pip-audit | Known CVE detection |
| Container Scanning | Trivy, Grype | Image vulnerability analysis |
| Dependency Risk | socket.dev, Semgrep | Behavioral risk analysis |
| CI/CD Review | custom scripts, actionlint | Pipeline security audit |
| SBOM | syft, cyclonedx-cli | Bill of materials generation |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors