Skill

hardening-detection

Shared hardening level detection algorithm — single source of truth for /audit, /harden, and migration-guide

Install

Run in your terminal

npx claudepluginhub anthropics/claude-plugins-community --plugin gh-guard

Tool Access

This skill is limited to using the following tools:

ReadGlobGrepBash

Skill Content

Similar Skills

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

Stats

Stars11

Forks2

Last CommitMar 10, 2026

Actions

View Source View Plugin View on GitHub View README

Hardening Level Detection

Single source of truth for detecting a Rust project's current supply chain hardening level. Referenced by /audit, /harden, and the migration-guide skill.

Detection Algorithm

File Markers

Marker	How to Detect
CI workflow	`.github/workflows/` contains a YAML file with `cargo test`
Gate job	CI workflow has a job with `if: always()` + `needs:` pattern
`deny.toml`	Exists at project root
Dependency update tool	`.github/dependabot.yml` OR `renovate.json` / `.github/renovate.json` exists
`SECURITY.md`	Exists at root or `.github/SECURITY.md`
Publish workflow	`.github/workflows/` contains a YAML triggered by `tags: ["v*"]`
Trusted Publishing	Publish workflow contains `crates-io-auth-action`
CodeQL workflow	`.github/workflows/` contains a YAML with `codeql-action`
Scorecard workflow	`.github/workflows/` contains a YAML with `scorecard-action`
Release script	`scripts/release.sh` or similar executable in `scripts/`
SLSA provenance	Publish workflow contains `slsa-github-generator`
Fuzz workflow / OSS-Fuzz	`.github/workflows/` contains a YAML with `cargo-fuzz` or `cargo fuzz`, OR project is listed in `google/oss-fuzz` (check via `gh api repos/google/oss-fuzz/contents/projects/<name>`)
`osv-scanner.toml`	Exists at project root

Level Classification

Minimal — ALL of these present:

CI workflow with cargo test
deny.toml exists
Dependency update tool present: .github/dependabot.yml OR renovate.json / .github/renovate.json
SECURITY.md exists

Standard — ALL Minimal markers + ALL of these: 5. Publish workflow with crates-io-auth-action (Trusted Publishing) 6. CodeQL workflow present 7. Scorecard workflow present 8. Release script exists

Hardened — ALL Standard markers + ALL of these: 9. slsa-github-generator in publish workflow 10. Fuzz workflow present OR project listed in google/oss-fuzz 11. osv-scanner.toml exists

Classification Rules

Hardened — all 11 markers present
Standard — markers 1-8 present
Minimal — markers 1-4 present
Custom — partial coverage; report the highest complete level and list missing markers for the next level up

Workspace Detection

If [workspace] is present in root Cargo.toml, additionally check:

Publish workflow handles all publishable members (not just one crate)
Crates are published in dependency order with propagation delays
Release script bumps versions in all publishable Cargo.toml files
Trusted Publishing is noted as per-crate (each crate needs separate crates.io config)

Output Format

When reporting detection results, use:

Current level: **[Level]** ([X]/[total] markers for next level)
Missing for [next level]: [comma-separated list of missing markers]

Example: Current level: **Minimal** (2/4 Standard markers). Missing for Standard: CodeQL workflow, Scorecard workflow.