Skill Security →

Supply Chain Risk Scoring

Score npm/PyPI/Cargo dependency risk before install/upgrade using bomdrift SBOM diff…

Score the supply-chain risk of npm, PyPI and Cargo dependencies at the moment they change in a pull request, before install or upgrade merges. It answers a different question than scan-everything tools: not 'what vulnerabilities exist' but 'what changed in this diff and should I worry?' Six signals run together: SBOM diff, typosquat detection, maintainer-age scoring, CVE prioritization and license policy, to catch the long-game attacks that traditional scanners miss.

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, supply-chain-risk-scoring

Inside the run · no black box

See the actual work before you buy it.

The xz backdoor came in through a dependency change that looked routine. This gate diffs byte-deterministic SBOMs on every lockfile PR, runs six risk signals from CVE-with-EPSS to typosquat distance, and blocks the merge instead of advising.

  1. The gate triggers automatically on any PR that touches a lockfile or manifest: package.json, package-lock, pnpm-lock, requirements.txt, Pipfile.lock, Cargo files.
  2. Phase 1 generates byte-deterministic CycloneDX SBOMs for both the base branch and the PR head, so the comparison is exact, not approximate.
  3. Phase 2 diffs the two SBOMs and runs 6 signals on every changed dependency: CVE lookup with EPSS exploit probability and CISA KEV flags, Jaro-Winkler typosquat detection against a top-1000 package catalog at the 0.85 threshold, Bayesian maintainer-age scoring (the xz pattern: young account, sudden activity, ownership transfer), SPDX license policy (GPL/AGPL denied), multi-major version jumps and recently-published flags.
  4. Phase 3 uploads SARIF to the code scanning tab and upserts a single sticky PR comment; findings-only mode keeps clean PRs silent so the signal never drowns in noise.
  5. The verdict is enforced, not advisory: a critical CVE or typosquat hit exits with failure and blocks the merge, which also stops Renovate and Dependabot auto-merge from waving risky bumps through.
  6. Exceptions go through expiring suppressions only (a suppress comment with a date, 90 days maximum) plus a monthly review, so accepted risk re-surfaces instead of fossilizing.
Use cases · what happens when you plug it in

One power source. 6 lines out.

supply-chain-risk-scoring · core

core active · 6 lines

  1. Gating a Renovate or Dependabot auto-merge PR with a risk score

    ✓ gating a renovate or dep…

  2. Catching a typosquatted transitive dependency before it lands

    ✓ catching a typosquatted

  3. Flagging a freshly-created maintainer account on a critical package

    ✓ flagging a freshly-created

  4. Reviewing a major version bump that skips semver ranges

    ✓ reviewing a major version

  5. Enforcing a license policy that denies GPL/AGPL in commercial code

    ✓ enforcing a license policy

  6. Producing a byte-deterministic SBOM diff as a sticky PR comment

    ✓ producing a byte-determi…
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. See exactly what changed in a dependency diff before you merge it

    license: perpetual

  2. Stop typosquat and maintainer-takeover attacks that pure CVE scanners miss

    license: perpetual

  3. Block auto-merge bots when a package suddenly changes its maintainer set

    license: perpetual

  4. Keep noise low with findings-only comments and CRITICAL/HIGH thresholds

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

A defensive CLI wrapper that snapshots SBOMs, diffs them and posts a sticky PR comment

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

Teams reviewing dependency upgrade PRs who want a diff-time gate alongside their scan-everything tooling.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. We already run Dependabot and a vulnerability scanner. Does this overlap?

    It answers a different question. Scanners tell you what vulnerabilities exist across your whole inventory; this scores what changed in a single PR diff, typosquatted packages, fresh maintainer accounts, license flips, the long-game attacks CVE scanners miss. It is designed to run alongside your existing tooling, including gating the Renovate or Dependabot auto-merge itself.

  2. How does it actually catch a typosquat or a maintainer takeover?

    Two of the six signals handle that: a Jaro-Winkler string-distance detector compares new dependency names across eight package ecosystems, and a Bayesian maintainer-risk scorer flags young accounts and recent ownership changes, the xz pattern. Both run on the SBOM diff, so they fire on the exact components a PR introduces.

  3. Does it continuously scan my entire dependency tree?

    No, and that is deliberate. It is a diff-time gate: it scores only what changed in a pull request before merge. Continuous full-inventory scanning, runtime monitoring, and vulnerability management stay with your scan-everything tools; this fills the gap they leave at the moment of change.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →