feat: add Dependency & Supply Chain Security audit category#93
Open
theLightArchitect wants to merge 1 commit intoanthropics:mainfrom
Open
feat: add Dependency & Supply Chain Security audit category#93theLightArchitect wants to merge 1 commit intoanthropics:mainfrom
theLightArchitect wants to merge 1 commit intoanthropics:mainfrom
Conversation
Adds a missing security category to both the Claude audit prompt and the slash command template. Current scans cover injection, auth, crypto, etc. but have no supply chain coverage despite it being a top attack vector (SolarWinds, XZ utils, npm typosquatting incidents). New category checks for: - CVEs in pinned dependency versions - Loose version pinning (*, latest, >= without upper bound) - Untrusted or non-standard registries - Typosquatting in package names - Dependency confusion (private vs public namespace) - Malicious post-install scripts - Lock file integrity issues Closes anthropics#31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a missing security category to both the Claude audit prompt and the slash command template. Current scans cover injection, auth, crypto, etc. but have no supply chain coverage despite it being a top attack vector (SolarWinds, XZ utils, npm typosquatting incidents).
The new Dependency & Supply Chain Security category checks for:
*,latest,>=without upper bound)Both
claudecode/prompts.pyand.claude/commands/security-review.mdare updated to stay in sync.Test plan
test_get_security_audit_prompt_contains_supply_chain_category— verifies the category is present in generated promptstest_get_security_audit_prompt_supply_chain_with_custom_instructions— verifies custom instructions still inject correctly after the new sectionCloses #31