Slash Command

/verify

Verifies generated supply chain security configs including GitHub Actions workflows, cargo-deny.toml, rust-toolchain.toml, and release scripts for syntax, structure, security practices, and cross-file consistency, producing a detailed report.

Rust

GitHub Actions

security

code-quality

npx claudepluginhub sbom-tool/gh-guard

Popularity

Stars

Forks

Invocation

How this command is triggered — by the user, by Claude, or both

Slash command

/gh-guard:verify

Model invocable

No pre-commands

Tool Access

This command is limited to the following tools:

ReadGlobGrepBash

Context Preview

The summary Claude sees in its command listing — used to decide when to auto-load this command

# /verify — Post-Generation Validation

Verify that generated supply chain security configs are syntactically valid, internally consistent, and ready to deploy.

## Workflow

### Step 1: Find Generated Files

Scan for gh-guard artifacts:
- `.github/workflows/*.yml` — all workflow files
- `deny.toml` — cargo-deny configuration
- `rust-toolchain.toml` — toolchain pinning
- `.github/dependabot.yml` — Dependabot config
- `SECURITY.md` — security policy
- `scripts/release.sh` — release script
- `osv-scanner.toml` — OSV scanner config

Report which files are present.

### Step 2: YAML Syntax Vali...

Command Content

105 lines · ~857 tokens

Other plugins with /verify

/harden-actions

Pin GitHub Actions to SHAs, fix permissions, and flag dangerous triggers

14 tools

supply-chain-security

/verification-guide

Provides verification checklist for Stage 0 fingerprint analysis YAML output before saving to .sourceatlas/overview.yaml, with bash scripts to check file paths, counts, configs, and git branch.

sourceatlas

/validate

275

Validates project structure, git config, build setup, code quality, CI/CD workflows, and best practices; reports issues, score, and recommendations with --path and --verbose options.

attune

/verify

3.7k

Runs verification checks on codebase including types (mypy), lint (ruff), tests (pytest cov), security (pip-audit), secrets, prints, and git status. Outputs summary report with pass/fail and readiness status.

claude-scholar

/verify

1.6k

Verifies all git-changed files for common mistakes, logic errors, and security issues, outputting per-file summaries with issue counts and severity ratings (CRITICAL, WARNING, INFO).

double-check

/verify

523

Runs comprehensive codebase verification including build, type checks, linting, tests, console.log audit, and git status. Outputs PASS/FAIL report with PR readiness. Supports quick/full/pre-commit/pre-pr modes.

everything-claude-code

Stats

LanguageShell

Stars13

Forks2

MaintenanceExcellent

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

/verify — Post-Generation Validation

Verify that generated supply chain security configs are syntactically valid, internally consistent, and ready to deploy.

Workflow

Step 1: Find Generated Files

Scan for gh-guard artifacts:

.github/workflows/*.yml — all workflow files
deny.toml — cargo-deny configuration
rust-toolchain.toml — toolchain pinning
.github/dependabot.yml — Dependabot config
SECURITY.md — security policy
scripts/release.sh — release script
osv-scanner.toml — OSV scanner config

Report which files are present.

Step 2: YAML Syntax Validation

For each YAML file found:

Sanitize GitHub Actions ${{ }} expressions (replace with safe placeholders)
Validate YAML structure using python3 -c 'import yaml; yaml.safe_load(...)' or yq
Report: valid / invalid with error location

Step 3: Workflow Structure Validation

For each GitHub Actions workflow, check:

Required fields:

name: is present
on: trigger is defined
permissions: is set at workflow level
Each job has runs-on:

SHA pinning:

All uses: lines reference a full 40-char SHA (not a tag like @v4)
Exception: SLSA generator (slsa-github-generator) must use @tag
Version comments are present (e.g., # v6.0.2)

Security practices:

persist-credentials: false on checkout steps
fetch-depth: 0 in publish workflow (for ancestry verification)
--locked flag on cargo install commands

Step 4: cargo-deny Validation

If deny.toml exists:

Run cargo deny check --hide-inclusion-graph 2>&1 (if cargo-deny is installed)
Report any license violations, banned crates, or advisory findings
If not installed, check TOML syntax validity only

Step 5: Cross-File Consistency

Check relationships between files:

CI gate job: Does the CI workflow have a gate job with if: always() and needs: referencing all other jobs?
MSRV consistency: Does rust-toolchain.toml channel match the MSRV used in CI workflow?
Publish workflow references: If publish workflow references an environment name, note it for user to create
Fuzz targets: If fuzz workflow exists, does it reference targets that match fuzz/Cargo.toml [[bin]] entries?
Dependabot ecosystems: Does dependabot.yml cover both github-actions and cargo?

Step 6: release.sh Validation

If scripts/release.sh exists:

Check bash syntax: bash -n scripts/release.sh
Run dry-run: scripts/release.sh --dry-run <current-version-plus-one> (compute next patch version from Cargo.toml)
Report pre-flight check results

Step 7: Generate Report

## Verification Report

### Files Checked
| File | Syntax | Structure | Notes |
|------|--------|-----------|-------|
| .github/workflows/ci.yml | valid | 6 jobs, gate pattern | — |
| .github/workflows/publish.yml | valid | 3 jobs, OIDC auth | Create `crates-io` environment |
| deny.toml | valid | 4 check categories | 2 advisory warnings |
| ... | ... | ... | ... |

### SHA Pin Status
- X/Y actions are SHA-pinned with version comments
- Unpinned: [list]

### Issues Found
- [ ] Issue description and fix recommendation

### Ready to Deploy
All checks passed / X issues to resolve before deploying.