secure-supply-chain

Supply Chain Security Plugin for Claude Code

Protect your projects from supply chain attacks with Claude.

What Is This?

When you build software, you rely on hundreds of third-party packages, container images, GitHub Actions, and more. Attackers increasingly target these dependencies to sneak malicious code into otherwise trustworthy projects. This is called a supply chain attack.

This plugin gives Claude Code the ability to audit your project for supply chain risks and fix them for you, covering seven areas:

Area	Examples of What Could Go Wrong
Packages (npm, pip, etc.)	A dependency gets hijacked and runs a malicious install script
Containers (Docker)	Your base image silently changes to include a backdoor
GitHub Actions	A third-party Action gets compromised and steals your secrets
Infrastructure as Code (Terraform)	An unverified module provisions resources you didn't ask for
AI/ML Models	A pickle file executes arbitrary code when loaded
IDE Extensions	A VS Code extension exfiltrates code from your workspace
Credentials	A leaked API key or long-lived token enables lateral movement across services

Based on the Latio Supply Chain Security Checklist

Getting Started

Prerequisites

• Claude Code installed and working
• SSH access to GitHub configured (the plugin installer clones via SSH)

Installation

Note: This plugin is pending addition to the official Claude Code marketplace. In the meantime, you can install it directly using the self-hosted marketplace below. Once it's in the official marketplace, you'll be able to install it with just /plugin install supply-chain-security.

Add the marketplace and install the plugin from within Claude Code:

/plugin marketplace add latiotech/secure-supply-chain-skills
/plugin install supply-chain-security@secure-supply-chain

After installing, run /reload-plugins to activate the plugin.

Your First Audit

Once installed, open Claude Code in any project and run:

/audit-supply-chain

This scans your repo, figures out which areas apply to you, auto-fixes critical items (pinning versions, resolving SHAs, disabling install scripts), and gives you a report showing what was fixed and what still needs attention.

Two Types of Commands

Action Commands - Fix Issues Directly

These commands take action by default. They scan your repo, make changes (pin versions to exact hashes, resolve commit SHAs, fix configs), and explain each change as it's made. Run these first.

Command	What It Does
/audit-supply-chain	Full audit - detects what's in your repo, checks everything, auto-fixes critical items
/harden-packages	Pin dependency versions, disable install scripts, secure registry configs
/harden-containers	Pin base images by digest, enforce non-root, create .dockerignore
/harden-actions	Pin Actions to SHAs, set permissions, fix script injection, add Dependabot
/harden-iac	Pin Terraform modules/providers, generate lockfiles, flag provisioners
/harden-ai-ml	Fix unsafe torch.load/pickle.load, pin model sources, add hash verification
/harden-ide-extensions	Audit extensions, remove secrets from settings, add devcontainer config
/harden-credentials	Scan for leaked secrets, set up pre-commit hooks, harden .gitignore, fix credential anti-patterns
/audit-credentials	Find long-lived tokens, hardcoded secrets, credentials that should be rotated or replaced with OIDC
/update-pins	Check pinned deps, Actions, images, and modules for newer versions — auto-updates patch/minor, flags majors with changelogs
/minimize	Remove unused dependencies and convert Dockerfiles to multi-stage builds to reduce attack surface

Walkthrough Commands - Guided Setup for Advanced Items

These commands are interactive walkthroughs for configurations that require steps outside your codebase (cloud provider setup, Kubernetes config, GitHub settings). Run these separately when you're ready to tackle advanced hardening.