CtrlK
BlogDocsLog inGet started
Tessl Logo

endor-supply-chain

Assess supply chain risk for your repository by scanning dependencies, secrets, and GitHub Actions workflows using Endor Labs. Use when the user says "supply chain risk", "supply chain assessment", "assess my supply chain", "endor supply chain", "third-party risk", "software supply chain", or wants a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks. Do NOT use for GitHub Actions workflows only (/endor-ghactions), code-level SAST scanning (/endor-sast), single package checks (/endor-check), or full reachability analysis (/endor-scan-full).

94

Quality

92%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Endor Labs Supply Chain Risk Assessment

Assess supply chain risk by scanning dependencies (SCA), secrets, and GitHub Actions workflows in a single combined report.

Scope

This assessment covers three supply chain attack surfaces:

SurfaceWhat It DetectsScan Type
Dependencies (SCA)Known vulnerabilities, malware, unmaintained packagesvulnerabilities, dependencies
SecretsHardcoded credentials, API keys, tokens in sourcesecrets
GitHub ActionsUnsafe workflow patterns, pinning issues, injection risksghactions

Workflow

Step 1: Detect Project Context

  1. Determine absolute path to repository root
  2. Detect ecosystem by checking for manifest/lock files: package.json/yarn.lock (JS/TS), go.mod/go.sum (Go), requirements.txt/pyproject.toml (Python), pom.xml/build.gradle (Java), Cargo.toml (Rust)
  3. Check for .github/workflows/ directory — if absent, note that GitHub Actions scan will be skipped

Step 2: Run Supply Chain Scan

Use scan MCP tool:

  • path: absolute path to repository root
  • scan_types: ["vulnerabilities", "dependencies", "secrets", "ghactions"]
  • scan_options: { "quick_scan": true }

CLI fallback (only if MCP genuinely unavailable):

npx -y endorctl scan --path $(pwd) --dependencies --secrets --ghactions --output-type summary -n <namespace>

Show exact error messages — do not guess at causes.

If a scan partially succeeds (e.g., dependency scan works but GitHub Actions scan finds no workflows), present the available results with a note about which scan types returned no data. Do not discard partial results.

Step 3: Retrieve Finding Details

For each critical/high finding UUID, use get_resource MCP tool (uuid, resource_type: Finding).

For reachability tag interpretation, read references/reachability-tags.md.

Step 4: Present Supply Chain Risk Report

Structure the report as three sections, one per attack surface:

## Supply Chain Risk Assessment

**Repository:** {repo path}
**Ecosystem:** {detected ecosystem}
**Scan Date:** {date}

---

### 1. Dependency Vulnerabilities (SCA)

**Dependencies Scanned:** {count} | **Findings:** {count}

| Severity | Count | Reachable | Action |
|----------|-------|-----------|--------|
| Critical | {n}   | {n}       | Fix immediately |
| High     | {n}   | {n}       | Fix soon |
| Medium   | {n}   | -         | Review |
| Low      | {n}   | -         | Monitor |

**Top Findings:**

| Package | Version | CVE | Severity | Reachable | Fixed In |
|---------|---------|-----|----------|-----------|----------|
| {name}  | {ver}   | {cve} | {sev}  | {yes/no}  | {ver}    |

Distinguish direct vs transitive dependencies. For transitive vulns, identify the direct dependency that pulls them in.

---

### 2. Exposed Secrets

**Secrets Found:** {count}

| # | Type | File | Line | Risk |
|---|------|------|------|------|
| 1 | {type} | {file} | {line} | {risk} |

If secrets found, include urgent rotation guidance:
> **ACTION REQUIRED** — Rotate all exposed secrets immediately. Secrets committed to version control should be considered compromised.

---

### 3. GitHub Actions Risks

**Workflows Scanned:** {count} | **Findings:** {count}

| # | Workflow | Issue | Severity | Recommendation |
|---|----------|-------|----------|----------------|
| 1 | {file}   | {issue} | {sev}  | {fix}          |

If no `.github/workflows/` directory exists, note:
> No GitHub Actions workflows found — this section is not applicable.

---

### Supply Chain Risk Summary

| Attack Surface | Risk Level | Key Issue |
|----------------|------------|-----------|
| Dependencies   | {Critical/High/Medium/Low/Clean} | {top issue or "No vulnerabilities found"} |
| Secrets        | {Critical/Clean} | {top issue or "No secrets detected"} |
| GitHub Actions | {High/Medium/Low/Clean} | {top issue or "No issues found"} |

**Overall Supply Chain Risk:** {Critical/High/Medium/Low}

Priority Order

  1. Critical reachable dependency vulnerabilities
  2. Exposed secrets (always critical)
  3. Critical unreachable dependency vulnerabilities
  4. High reachable dependency vulnerabilities
  5. GitHub Actions critical/high issues
  6. High unreachable dependency vulnerabilities
  7. Medium/Low findings across all categories

Next Steps

  1. /endor-fix {top-cve} — remediate critical dependency vulnerabilities
  2. /endor-secrets — deep-dive on exposed secrets with rotation guidance
  3. /endor-check {package} — investigate a specific dependency
  4. /endor-explain {cve} — get detailed CVE information
  5. /endor-scan-full — full reachability analysis for dependency findings
  6. /endor-cicd — add Endor Labs to CI/CD pipeline for continuous monitoring
  7. /endor-policy — create policies to enforce supply chain standards

For data source policy, read references/data-sources.md.

Error Handling

Show exact error messages — do not guess at causes. Suggest /endor-troubleshoot or /endor-setup as appropriate.

ErrorAction
Auth error / browser opensComplete browser login, retry. Do not bypass to CLI
Missing auth configRun /endor-setup to choose an auth workflow
No manifest foundList supported ecosystems, still run secrets + ghactions scans
No GitHub workflowsSkip ghactions section, present SCA + secrets results
Scan timeoutRun each scan type separately or scan subdirectory
MCP unavailable/endor-setup. CLI fallback only if user confirms
Unknown errorShow exact error, suggest /endor-troubleshoot
Repository
endorlabs/skills-ideas
Commit

344e7ff

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill