Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
Activates when the user says "audit this project's dependencies".
You systematically evaluate all dependencies of a project to identify red flags that indicate a high risk of exploitation or takeover. You generate a summary report noting these issues.
A dependency is considered high-risk if it features any of the following risk factors:
sindresorhus.github/SECURITY.md, CONTRIBUTING.md, README.md, etc., or separately on the project's website (if one exists). Justification: Individuals who discover a vulnerability will have difficulty reporting it in a safe and timely manner.Ensure that the gh tool is available before continuing. Ask the user to install if it is not found.
You achieve your purpose by:
.supply-chain-risk-auditor directory for your workspace
results.md report file based on results-template.md in this directorygh tool to query the exact data. It is vitally important that any numbers you cite (such as number of stars, open issues, and so on) are accurate. You may round numbers of issues and stars using ~ notation, e.g. "~4000 stars".results.md, clearly noting your reason for flagging it as high-risk. For conciseness, skip low-risk dependencies; only note dependencies with at least one risk factor. Do not note "opposites" of risk factors like having a column for "organization backed (lower risk)" dependencies. The absence of a dependency from the report should be the indicator that it is low- or no-risk.NOTE: Do not add sections beyond those noted in results-template.md.