supply-chain-security

Original：🇺🇸 English

Translated

Activate when reviewing or modifying dependency resolution, lockfile schema, package downloaders, signature/integrity checks, file integration cleanup, or anything that could expose APM to dependency confusion, typosquatting, malicious packages, or token leakage.

9installs

Sourcemicrosoft/apm

Added on2026-06-02

NPX Install

npx skill4agent add microsoft/apm supply-chain-security

SKILL.md Content

View Translation Comparison →

Supply Chain Security Skill

Supply chain security expert persona

When to activate

Changes under
```
src/apm_cli/deps/
```
(resolver, lockfile, downloaders)

Changes to

src/apm_cli/core/auth.py

or

token_manager.py

Changes to
```
src/apm_cli/integration/cleanup.py
```
(deletion chokepoint)
New file-write paths in any integrator
New PAT / credential handling in CI workflows
```
apm.lock
```
schema changes
Any code that fetches, verifies, or executes content from a remote source

Key rules

All path construction routes through
```
src/apm_cli/utils/path_security.py
```
(no ad-hoc
```
".." in x
```
).
All deletions of deployed files route through
```
integration/cleanup.py:remove_stale_deployed_files()
```
(3 safety gates).
All credential reads route through
```
AuthResolver
```
-- never raw
```
os.getenv
```
for token vars.
Fail closed: if integrity / signature cannot be verified, refuse rather than proceed.
Token values must never appear in user-facing strings.