Pentest Supply Chain

Purpose

Supply chain attacks (SolarWinds, Log4Shell, xz-utils) are the fastest-growing threat category. Shannon explicitly excludes "vulnerable third-party libraries." MITRE ATT&CK T1195 has zero coverage in any existing skill.

Prerequisites

Authorization Requirements

• Written authorization with supply chain testing scope
• Repository access for dependency and CI/CD analysis
• Registry awareness — confirm which private registries are in use
• Build system access for pipeline review (if white-box)

Environment Setup

• Snyk CLI for dependency vulnerability scanning
• npm audit / pip-audit for ecosystem-specific checks
• Trivy for container and filesystem scanning
• socket.dev for dependency risk analysis

Core Workflow

1. Dependency Audit: Analyze package.json/requirements.txt/go.mod for known vulnerable versions, unmaintained packages, suspicious dependencies.
2. Dependency Confusion: Check if internal package names can be claimed on public registries (npm, PyPI). Test namespace squatting.
3. CI/CD Pipeline Security: Review GitHub Actions/GitLab CI for injection via PR titles/branch names, secrets in logs, unpinned action versions, runner escape.
4. Build Artifact Integrity: Verify signatures on containers/packages, check for unsigned artifacts, test image tag mutability.
5. Lockfile Integrity: Detect lockfile injection (manipulated resolved URLs), verify lockfile-to-manifest consistency.
6. Install Script Abuse: Identify packages with install hooks executing arbitrary code, test typosquatting candidates.
7. SBOM Generation: Generate Software Bill of Materials and map transitive dependency risk with CVE correlation.

Tool Categories

References

• references/tools.md - Tool function signatures and parameters
• references/workflows.md - Attack pattern definitions and test vectors