feat(skills): package 8 Socket supply-chain skills#499
Merged
Conversation
Packages 8 supply-chain security skills from SocketDev/skills (MIT) into Dockyard, all pinned to upstream commit 25879b0 (main as of 2026-04-02). Third vendor in the per-vendor skills sweep after #466 (Trail of Bits) and #498 (Sentry). Socket.dev is a supply-chain security vendor; these skills complement Dockyard's existing supply-chain-risk-auditor. Scanning and inspection: - socket-scan — SBOM, vuln, malware, license audit + cdxgen fallback - socket-inspect — package-research workflow (scores, alerts, CVEs, alts) Setup: - socket-setup — CLI install, auth, CI and Dockerfile integration Dependency fixing (socket-fix umbrella + 4 sub-skills): - socket-fix — orchestrator (Fix All tiered / Fix Package modes) - socket-dep-cleanup — remove a single unused dependency - socket-dep-patch — apply Socket binary-level patches in place - socket-dep-replace — swap or inline a dependency - socket-dep-upgrade — socket fix with one-at-a-time version bumps Note: the socket-fix sub-skills reference `skills/_shared/verify-build.md` from the upstream repo. The OCI packager only bundles files under spec.path, so that shared reference file will not ship with the artifact. The skills still work from their SKILL.md; the shared reference is supplementary guidance. Security allowlists: All 8 skills carry MANIFEST_MISSING_LICENSE — upstream is MIT at the repo root rather than per-skill SPDX in SKILL.md frontmatter. socket-setup also allowlists PIPELINE_TAINT_FLOW: the skill's prerequisites cite the official nvm installer (`curl ... | bash`) as a documentation example. The scanner itself flags it as 'uses a well-known installer URL — likely a standard installation'. All 8 skills pass `task validate-skill` and `task scan-skill`. Refs #476 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
🛡️ Skill Security Scan Results✅ socket-dep-cleanup
✅ socket-dep-patch
✅ socket-dep-replace
✅ socket-dep-upgrade
✅ socket-fix
✅ socket-inspect
✅ socket-scan
✅ socket-setup
Summary: Scanned 8 skill(s), all passed security checks. ✅ |
samuv
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Packages 8 supply-chain security skills from
SocketDev/skills(MIT) into Dockyard. All skills pinned to upstream commit25879b0(main as of 2026-04-02).Third vendor in the per-vendor skills sweep after #466 (Trail of Bits) and #498 (Sentry). Socket.dev is a first-party supply-chain security vendor; this pack complements Dockyard's existing
supply-chain-risk-auditor.Tracks #476.
Skills added
Scanning and inspection
socket-scan— dependency scan with SBOM, vulnerabilities, malware, license audit; cdxgen fallback for unauthenticated userssocket-inspect— research a package before adoption — Socket scores, alerts, CVEs, dependency tree, alternativesSetup
socket-setup— install and authenticate the Socket CLI, sfw, socket-patch; configure CI (GitHub/GitLab/Bitbucket) and Dockerfile integrationDependency fixing (umbrella + 4 sub-skills)
socket-fix— orchestrator (Fix All tiered Conservative/Cautious/Full, or Fix Package)socket-dep-cleanup— evaluate and remove a single unused dependencysocket-dep-patch— apply Socket binary-level patches without version changessocket-dep-replace— swap a dependency for an alternative, inline, orsocket-optimizesocket-dep-upgrade—socket fixwith one-at-a-time version bumps and code migrationShared-file note
The
socket-fixsub-skills referenceskills/_shared/verify-build.mdin the upstream repo. The dockyard OCI packager only bundles files underspec.path, so that shared reference file does not ship with the per-skill artifact. The skills remain functional from their own SKILL.md; the shared file is supplementary guidance. If this turns out to be a common pattern across future vendors, we may want to package_shareddirs as additional bundled resources or a dedicated skill.Security allowlists
All 8 skills carry
MANIFEST_MISSING_LICENSE(INFO) — upstream is MIT at the repo root rather than as an SPDX identifier in per-skill SKILL.md frontmatter.socket-setupadditionally allowlistsPIPELINE_TAINT_FLOW(LOW): the skill's prerequisites cite the official nvm installer (curl -o- .../install.sh | bash) as a documentation example. The scanner itself flags the finding as "uses a well-known installer URL — likely a standard installation."Test plan
task validate-skillon all 8 specs — all VALIDBuild Skill Artifactsworkflow succeeds on this PRskill-scan-reportsurfaces only allowlisted findingsghcr.io/stacklok/dockyard/skills/<name>:0.1.0Closes #476