home/coding/prompt-supply-chain-security

Prompt Supply Chain Security

GPTClaudeDeepSeek··1,229 copies·updated 2026-07-14
prompt-supply-chain-security.prompt
# Prompt — Supply chain security (SBOM, signing)

> [🇷🇺 Русский](../ru/prompt-supply-chain-security.md) · 🇬🇧 **English**

[← Index](./README.md) · [Standards](./standards.md) · [Template](./template.md)

tags: #prompt #supply-chain #security #sbom #devops #single-shot
**Status:** `🧪 Experimental`
**Owner:** Pandamy619
**Last edit:** 2026-05-20
**Version:** v1
**Source idea:** [SLSA Framework](https://slsa.dev/), [Sigstore — Open source software signing](https://www.sigstore.dev/), [NIST SP 800-218 (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final)
**Delta from original:** ties target SLSA level, explicit requirement to sign artifacts in ALL environments (not only prod), separate workflow for vulnerability triage.

---

## When to use

- When a service is going to production and you need to know where you stand on dependencies and build integrity
- When preparing for a compliance audit (SOC 2, ISO 27001, FedRAMP)
- After an incident like the `xz utils backdoor` or `event-stream` — when it becomes clear that dependencies can't be trusted blindly

## What to substitute

- `{{project_type}}` — string, e.g. `python web service (FastAPI)` / `node monorepo (8 packages)`
- `{{package_managers}}` — list, e.g. `poetry; npm; apt`
- `{{registry}}` — string, e.g. `pypi public; npm public; private GitHub Packages for internal`
- `{{build_system}}` — string, e.g. `GitHub Actions; Docker buildx multi-arch`
- `{{deployment_target}}` — enum: `kubernetes | ecs | cloud_run | bare_metal | serverless`
- `{{compliance_requirements}}` — string, e.g. `SOC 2 Type II; SLSA level 3 target; FedRAMP Moderate`

## Definition of done

Universal minimum — see [Definition of done](./standards.md#2-definition-of-done).

Specific criteria:

- SBOM is generated in CI on every build and published as an artifact
- Target SLSA level (1/2/3/4) is specified with justification
- All artifacts are signed (cosign / sigstore), and signature is verified on deploy
- Lock files under automated control (dependabot / renovate / pip-tools)
- Vulnerability triage workflow is described with SLA by severity

## Prompt

fill the variables

This prompt has 6 variables. Pro fills them into a ready-to-paste prompt for you — no manual find-and-replace.

{{project_type}{{package_managers}{{registry}{{build_system}{{deployment_target}{{compliance_requirements}
Unlock with Pro →

when to use it

Community prompt sourced from the open-source GitHub repo pandamy619/Promts (MIT). A "Prompt Supply Chain Security" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.

tags

codingcommunitydeveloper

source

pandamy619/Promts · MIT