feat: Add Dependency & Supply Chain Security category#77
Closed
theLightArchitect wants to merge 31 commits intoanthropics:mainfrom
Closed
feat: Add Dependency & Supply Chain Security category#77theLightArchitect wants to merge 31 commits intoanthropics:mainfrom
theLightArchitect wants to merge 31 commits intoanthropics:mainfrom
Conversation
Change the default from Opus 4 to Opus 4.1
Remove incorrect reference to new-findings-count output that doesn't exist
Fail fast when API key is not provided
Revert "Fail fast when API key is not provided"
Update model example to a recent model
…ail-fast Enable claude-code-security-review action on this repo
Add explicit documentation for the claude-model action input
Clean up template references in action.yml
Update docs to clarify that the API key is used for both CC and the Claude API
…t need to invoke ps
…tion-docs Add security considerations for prompt injection
…ction.yaml files Instead of using @Version, pin all github actions uses to a specific commit hash. This makes is that much harder for a supply chain attack to occur.
Pin versions in workflow files
Adds a 6th security category covering supply chain attack vectors: - Known vulnerable dependencies (CVEs in pinned versions) - Unpinned or loosely pinned dependency versions - Dependencies from untrusted registries - Typosquatting risks in package names - Dependency confusion (private vs public namespace conflicts) - Malicious post-install scripts - Lock file integrity issues Updated in both prompts.py (API-driven audits) and .claude/commands/security-review.md (slash command audits) to keep them in sync. Includes 2 new tests verifying the category appears in generated prompts and that custom_scan_instructions still injects correctly. Closes anthropics#31 Co-Authored-By: Claude Opus 4.6 <[email protected]>
theLightArchitect
force-pushed
the
feat/supply-chain-dependency-detection
branch
from
9156cea to
9960b64
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a 6th security category — Dependency & Supply Chain Security — to both the API-driven audit prompt and the
/security-reviewslash command. This addresses a gap in the tool's coverage: the current 5 categories focus on application-layer vulnerabilities but miss supply chain attack vectors that are increasingly common in real-world breaches.New category covers:
*,latest,>=without upper bound)Design choice — prompt-only approach: This follows the existing architecture where Claude analyzes manifest files and lock files present in the PR diff. No new tooling (e.g.,
pip audit,npm audit) is added, keeping the change minimal and consistent with how the other 5 categories work. The existingcustom_scan_instructionsparameter remains available for per-project extensions.Files changed:
claudecode/prompts.py— Added category block after "Data Exposure", before{custom_categories_section}.claude/commands/security-review.md— Added identical category block (these files are maintained in lockstep)claudecode/test_prompts.py— 2 new tests: category presence + custom instructions orderingTest results: 175 tests pass, 0 failures.
Closes #31
Test plan
python -m pytest claudecode/ -v)custom_scan_instructionsstill injects correctly after the new category🤖 Generated with Claude Code