Labsco
microsoft logo

supply-chain-security

✓ Official1,245

by microsoft · part of microsoft/hve-core

Software supply chain security reference for OpenSSF Scorecard, SLSA, Sigstore, SBOM, and posture/backlog taxonomies.

🧩 One of 7 skills in the microsoft/hve-core package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Supply Chain Security

This skill packages the durable software supply chain security (SSSC) reference material: open-standard catalogs, the combined capabilities inventory, and the classification taxonomies used to assess a repository's posture and turn gaps into prioritized work items.

When to use

Use this skill when you need to:

  • Assess a repository against the 27 combined supply chain capabilities from hve-core and physical-ai-toolchain.
  • Map posture against OpenSSF Scorecard, SLSA v1.0, OpenSSF Best Practices Badge, Sigstore (cosign), or NTIA SBOM minimum elements.
  • Classify a gap by adoption category, effort size, or qualitative concern level.
  • Derive work item priority and execution order from Scorecard risk levels.

Skill layout

Load the reference file for the topic you need. Each file holds the verbatim standard catalog or taxonomy.

ReferenceTopic
references/00-index.mdNavigation catalog for every reference in this skill
references/openssf-scorecard.mdOpenSSF Scorecard 20 checks with risk levels and score ranges
references/slsa-levels.mdSLSA v1.0 Build track levels L0 through L3
references/best-practices-badge.mdOpenSSF Best Practices Badge Passing, Silver, and Gold criteria
references/sigstore-maturity.mdSigstore (cosign) adoption maturity levels
references/sbom-elements.mdNTIA SBOM minimum elements and format guidance
references/capabilities-inventory.md27 combined capabilities across hve-core, PAT, and shared sets
references/adoption-categories.mdSix adoption categories, effort sizing, and concern levels
references/scorecard-check-mapping.mdFull 20-check implementation and adoption reference mapping
references/priority-derivation.mdRisk level to priority and execution order derivation

Attribution

Standard catalogs in this skill derive from their respective upstream projects. Per-reference attribution appears at the bottom of each reference file. See references/00-index.md for the consolidated attribution summary.