competition-supply-chain
GitHubCTF竞赛供应链安全专项技能,用于追踪依赖漂移、镜像构建篡改及运行时消费异常。需在沙箱编排器激活后使用,通过端到端溯源分析构建发布流程中的证据断点。
Trigger Scenarios
Install
npx skills add zhaoxuya520/reverse-skill --skill competition-supply-chain -g -y
SKILL.md
Frontmatter
{
"name": "competition-supply-chain",
"description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for CI\/CD, registry, dependency drift, artifact provenance, image build, release pipeline, and runtime consumer challenges. Use when the user asks to trace dependency drift, registry pulls, malicious packages, build or release tampering, CI execution, artifact signing, or which shipped artifact the runtime actually consumes. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}
Competition Supply Chain
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the challenge is really about provenance, dependency drift, build output, release flow, or what runtime artifact actually got shipped.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Split the problem into source, dependency resolution, build, packaging, publish, and runtime consumption.
- Decide where the first divergence occurs between intended artifact and runtime artifact.
- Keep provenance as a compact chain, not a scattered set of observations.
- Reproduce the smallest possible build or package path that still shows the issue.
- Separate checked-in intent from what the pipeline actually emitted.
Workflow
1. Trace Provenance End-To-End
- Map source checkout, lockfiles, dependency fetch, pre/post-install steps, build scripts, packaging, publish target, and runtime consumer.
- Compare declared version, resolved version, and shipped artifact.
- Note registry, cache, mirror, or CI environment differences.
2. Reconcile Build-Time And Runtime
- Compare manifests with image layers, mounted secrets, generated files, and runtime hooks.
- Identify whether the decisive mutation happens in dependency install, build step, publish step, or runtime bootstrap.
3. Report The Break Point
- State the earliest point where provenance diverges.
- Keep evidence in one short chain from source to runtime consumer.
Read This Reference
- Load
references/supply-chain.mdfor the provenance checklist, evidence packaging, and common pipeline failure modes.
What To Preserve
- Declared dependency, resolved dependency, and runtime artifact versions
- CI step names, registry pulls, artifact hashes, and image or package layers
- The runtime consumer that actually accepts or executes the artifact
Version History
- 1bec1f2 Current 2026-07-05 18:46


