Slash Command

/generate

Generates a supply chain security config file from templates like CI workflows, deny.toml, rust-toolchain.toml, or dependabot.yml, auto-filling with detected project values.

Rust

Git

GitHub Actions

security

npx claudepluginhub sbom-tool/gh-guard

Allowed Tools

ReadGlobGrepBashWriteAskUserQuestion

Prompt Preview

# /generate <target> — Single File Generator

Generate a single supply chain security config file from a template, with auto-detected project values.

## Usage



## Available Targets

| Target | Template | Output Path |
|--------|----------|------------|
| `ci-workflow` | `templates/workflows/ci.yml` | `.github/workflows/ci.yml` |
| `publish-workflow` | `templates/workflows/publish.yml` | `.github/workflows/publish.yml` |
| `codeql` | `templates/workflows/codeql.yml` | `.github/workflows/codeql.yml` |
| `scorecard` | `templates/workflows/scorecard.yml` | `.github/workflows/scorecard.yml` |...

Command Content

Other plugins with /generate

/harden-actions

Pin GitHub Actions to SHAs, fix permissions, and flag dangerous triggers

14 tools

supply-chain-security

/gen-github-dir

Generates complete .github directory for Go projects with GitHub Actions workflows, Dependabot config, and funding setup. Supports --force, --minimal, --dry-run flags.

5 tools

go-specialist

/cc-cicd

Generates, audits, or templates CI/CD workflows for GitHub Actions, GitLab CI, or Azure Pipelines, integrating Claude Code for PR reviews, testing, code generation, and security scanning.

claude-code-expert

/generate

2.3k

Generates a complete wiki for the current repo as a VitePress site with catalogue, onboarding guides, pages, dark-mode Mermaid diagrams, and citations.

deep-wiki

/generate

147

Generates a Context Field with name, one-sentence description, and up to 5 specific inhibition constraints from a failure description, including root cause analysis.

context-fields

/generate

145

Generates ADVPL/TLPP code for TOTVS Protheus: functions, classes, MVC structures, REST APIs, web services, entry points, reports, and more via <type> [name] [--module].

9 tools

advpl-specialist

Stats

Stars13

Forks2

Last CommitMar 10, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/generate — Single File Generator

Generate a single supply chain security config file from a template, with auto-detected project values.

Usage

/generate <target>

Available Targets

Target	Template	Output Path
`ci-workflow`	`templates/workflows/ci.yml`	`.github/workflows/ci.yml`
`publish-workflow`	`templates/workflows/publish.yml`	`.github/workflows/publish.yml`
`codeql`	`templates/workflows/codeql.yml`	`.github/workflows/codeql.yml`
`scorecard`	`templates/workflows/scorecard.yml`	`.github/workflows/scorecard.yml`
`fuzz`	`templates/workflows/fuzz.yml`	`.github/workflows/fuzz.yml`
`deny-toml`	`templates/deny.toml`	`deny.toml`
`rust-toolchain`	`templates/rust-toolchain.toml`	`rust-toolchain.toml`
`dependabot`	`templates/dependabot.yml`	`.github/dependabot.yml`
`security-md`	`templates/SECURITY.md`	`SECURITY.md`
`release-script`	`templates/release.sh`	`scripts/release.sh`
`osv-scanner`	`templates/osv-scanner.toml`	`osv-scanner.toml`

Workflow

Step 1: Parse Target

Parse the argument to determine which template to use. If no argument or invalid target, show the available targets table above and ask the user to choose.

Step 2: Auto-Detect Values

Read project files to fill in placeholders:

Placeholder	Detection Method (prefer `cargo metadata`, fall back to parsing)
`{{CRATE_NAME}}`	`cargo metadata --no-deps --format-version=1 \| jq -r '.packages[0].name'` — fallback: `sed -nE 's/^name = "([^"]+)"/\1/p' Cargo.toml \| head -1`
`{{MSRV}}`	`cargo metadata --no-deps --format-version=1 \| jq -r '.packages[0].rust_version // empty'` — fallback: `sed -nE 's/^channel = "([^"]+)"/\1/p' rust-toolchain.toml`
`{{REPO_OWNER}}`	`git remote get-url origin \| sed -E 's
`{{REPO_NAME}}`	`git remote get-url origin \| sed -E 's
`{{CONTACT_EMAIL}}`	`cargo metadata --no-deps --format-version=1 \| jq -r '.packages[0].authors[0]' \| sed -E 's/.<([^>]+)>./\1/'` — fallback: ask user
`{{FUZZ_TARGETS}}`	Parse `fuzz/Cargo.toml` for `[[bin]] name = "..."` entries
`{{WORKSPACE_CRATES}}`	`cargo metadata --no-deps --format-version=1 \| jq -r '[.packages[] \| select(.publish != false)] \| sort_by(.dependencies) \| .[].name'` — filtered by publishable crates, in dependency order

Important: cargo metadata handles workspace inheritance, TOML edge cases, and multi-line fields correctly. Always prefer it over sed parsing. Only fall back to sed if cargo metadata fails (e.g., no Cargo.toml or broken manifest).

If a required value can't be detected, ask the user.

Step 3: Check for Existing File and Show Diff

If the output file does NOT exist, proceed to Step 4.

If the output file already exists:

Generate the new content in memory — read the template, replace all {{PLACEHOLDER}} tokens with detected values (but do not write yet)
Compare existing vs generated:
- If the files are identical, tell the user: "File already matches the template — no changes needed." Skip to Step 5.
- If the files differ, show a unified diff in a fenced code block so the user can see exactly what would change:
```
--- existing .github/workflows/ci.yml
+++ generated from template
@@ -1,4 +1,4 @@
-old line
+new line
```
Ask the user: Apply (overwrite with generated) / Keep existing / Show full generated file
- If "Apply" — proceed to Step 4 (write the generated content)
- If "Keep existing" — skip to Step 5
- If "Show full generated file" — display the full generated content, then ask again: Apply / Keep existing
Never silently overwrite

Step 4: Generate

Read the template from the gh-guard plugin directory
Replace all {{PLACEHOLDER}} tokens with detected values
Create parent directories if needed (e.g., .github/workflows/, scripts/)
Write the file
For release-script: make executable (chmod +x)

Step 5: Post-Generation Notes

Show target-specific notes:

ci-workflow:

Set "CI" as the required status check in branch protection

publish-workflow:

Create crates-io environment in repo Settings > Environments
Configure Trusted Publishing at crates.io/crates/{{CRATE_NAME}}/settings
Workspace: configure Trusted Publishing for EACH publishable crate separately
Ensure Cargo.toml version matches tag before pushing
To retrigger a failed publish: gh workflow run publish.yml -f tag=vX.Y.Z

codeql:

Disable "default setup" in repo Settings > Code Security first

scorecard:

Results appear in repo's Security tab after first run
Badge available at api.securityscorecards.dev

fuzz:

Update the matrix.target list with your actual fuzz target names
Initialize targets: cargo fuzz init && cargo fuzz add <target_name>

deny-toml:

Review the license allowlist — add any licenses your dependencies use
Review the ban list — add crates you want to prohibit

rust-toolchain:

This pins your toolchain for all contributors
Update when bumping MSRV

dependabot:

PRs will start appearing within a week

security-md:

Update the supported versions table
Verify the Security Advisories link works

release-script:

Requires gh CLI installed and authenticated
Requires a signing key configured (git config user.signingkey)
Run with: scripts/release.sh X.Y.Z

osv-scanner:

Uncomment ecosystem overrides for ecosystems in your test fixtures
Copy to subdirectories that contain fixture files (doesn't propagate)