agentskills.codes
SU

supply_chain_security

Docker image signing (Cosign), SBOM generation, SLSA provenance attestation, GHCR registry management.

Install

mkdir -p .claude/skills/supply-chain-security && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14519" && unzip -o skill.zip -d .claude/skills/supply-chain-security && rm skill.zip

Installs to .claude/skills/supply-chain-security

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Docker image signing (Cosign), SBOM generation, SLSA provenance attestation, GHCR registry management.
102 charsno explicit “when” trigger

About this skill

Supply Chain Security (RESTO BOT)

Docker image pipeline

  • Build: project/.github/workflows/build-push-artifacts.yml
  • Registry: GitHub Container Registry (GHCR)
  • Images built: gateway, admin-dashboard, kiosk-app, cms (Strapi)

Signing and attestation

  • Cosign: Image signing with key pair
    • Secrets: COSIGN_PASSWORD, COSIGN_PRIVATE_KEY (GitHub Actions secrets)
    • Verify: cosign verify --key cosign.pub <image>
  • SBOM: Software Bill of Materials generated per build
  • SLSA Provenance: Attestation for build reproducibility

SHA-pinning policy

  • All GitHub Actions must use SHA-pinned references
  • Example: uses: actions/checkout@sha256:... (not @v4)
  • Enforced in CI lint step

Version consistency

  • N8N_VERSION must match across:
    • project/.env
    • project/.github/workflows/ci.yml
    • project/.github/workflows/security-scan.yml
  • Base images pinned in Dockerfiles and compose

Image inventory

ImageSourceSigned
nginx:1.27-alpineDocker HubN/A (upstream)
n8n:1.80.0docker.n8n.ioN/A (upstream)
postgres:15-alpineDocker HubN/A (upstream)
redis:7-alpineDocker HubN/A (upstream)
traefik:v3.6.6Docker HubN/A (upstream)
ollama:0.6.2Docker HubN/A (upstream)
gateway (custom)GHCRCosign
admin-dashboard (custom)GHCRCosign
kiosk-app (custom)GHCRCosign
cms (custom)GHCRCosign

Key files

  • project/.github/workflows/build-push-artifacts.yml
  • project/.github/workflows/security-scan.yml (Trivy)
  • project/admin-dashboard/Dockerfile
  • project/kiosk-app/Dockerfile
  • project/inventory-cms/Dockerfile

Required output

  • Signing verification evidence
  • SBOM generation confirmation
  • SHA-pin audit for GitHub Actions
  • Version consistency check

Search skills

Search the agent skills registry