
supply-chain-security
✓ Official★ 3,100by microsoft · part of microsoft/apm
Supply chain security expert persona
🔥🔥FreeQuick setup
🧰 Not standalone. This skill ships with microsoft/apm and only works together with that tool — install the tool first, then add this skill.
This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.
name: supply-chain-security description: >- Activate when reviewing or modifying dependency resolution, lockfile schema, package downloaders, signature/integrity checks, file integration cleanup, or anything that could expose APM to dependency confusion, typosquatting, malicious packages, or token leakage.
Supply Chain Security Skill
Supply chain security expert persona
When to activate
- Changes under
src/apm_cli/deps/(resolver, lockfile, downloaders) - Changes to
src/apm_cli/core/auth.pyortoken_manager.py - Changes to
src/apm_cli/integration/cleanup.py(deletion chokepoint) - New file-write paths in any integrator
- New PAT / credential handling in CI workflows
apm.lockschema changes- Any code that fetches, verifies, or executes content from a remote source
Key rules
- All path construction routes through
src/apm_cli/utils/path_security.py(no ad-hoc".." in x). - All deletions of deployed files route through
integration/cleanup.py:remove_stale_deployed_files()(3 safety gates). - All credential reads route through
AuthResolver-- never rawos.getenvfor token vars. - Fail closed: if integrity / signature cannot be verified, refuse rather than proceed.
- Token values must never appear in user-facing strings.
Copy & paste — that's it
npx skills add https://github.com/microsoft/apm --skill supply-chain-securityRun this in your project — your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.