Prompt Supply Chain Security
# Prompt — Supply chain security (SBOM, signing) > [🇷🇺 Русский](../ru/prompt-supply-chain-security.md) · 🇬🇧 **English** [← Index](./README.md) · [Standards](./standards.md) · [Template](./template.md) tags: #prompt #supply-chain #security #sbom #devops #single-shot **Status:** `🧪 Experimental` **Owner:** Pandamy619 **Last edit:** 2026-05-20 **Version:** v1 **Source idea:** [SLSA Framework](https://slsa.dev/), [Sigstore — Open source software signing](https://www.sigstore.dev/), [NIST SP 800-218 (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) **Delta from original:** ties target SLSA level, explicit requirement to sign artifacts in ALL environments (not only prod), separate workflow for vulnerability triage. --- ## When to use - When a service is going to production and you need to know where you stand on dependencies and build integrity - When preparing for a compliance audit (SOC 2, ISO 27001, FedRAMP) - After an incident like the `xz utils backdoor` or `event-stream` — when it becomes clear that dependencies can't be trusted blindly ## What to substitute - `{{project_type}}` — string, e.g. `python web service (FastAPI)` / `node monorepo (8 packages)` - `{{package_managers}}` — list, e.g. `poetry; npm; apt` - `{{registry}}` — string, e.g. `pypi public; npm public; private GitHub Packages for internal` - `{{build_system}}` — string, e.g. `GitHub Actions; Docker buildx multi-arch` - `{{deployment_target}}` — enum: `kubernetes | ecs | cloud_run | bare_metal | serverless` - `{{compliance_requirements}}` — string, e.g. `SOC 2 Type II; SLSA level 3 target; FedRAMP Moderate` ## Definition of done Universal minimum — see [Definition of done](./standards.md#2-definition-of-done). Specific criteria: - SBOM is generated in CI on every build and published as an artifact - Target SLSA level (1/2/3/4) is specified with justification - All artifacts are signed (cosign / sigstore), and signature is verified on deploy - Lock files under automated control (dependabot / renovate / pip-tools) - Vulnerability triage workflow is described with SLA by severity ## Prompt
fill the variables
This prompt has 6 variables. Pro fills them into a ready-to-paste prompt for you — no manual find-and-replace.
{{project_type}{{package_managers}{{registry}{{build_system}{{deployment_target}{{compliance_requirements}
Unlock with Pro →when to use it
Community prompt sourced from the open-source GitHub repo pandamy619/Promts (MIT). A "Prompt Supply Chain Security" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.
tags
codingcommunitydeveloper
source
pandamy619/Promts · MIT
more in Coding
Coding✓ tested
Senior code review (strict mode)
senior staff engineer running a merciless but fair review
Coding✓ tested
Debug by hypothesis, not by guessing
debugging partner who forms theories before touching code
Coding✓ tested
Generate tests from described behavior
test engineer who writes tests that would actually catch regressions