Pentest Supply Chain

Purpose

Supply chain attacks (SolarWinds, Log4Shell, xz-utils) are the fastest-growing threat category. Shannon explicitly excludes "vulnerable third-party libraries." MITRE ATT&CK T1195 has zero coverage in any existing skill.

Prerequisites

Authorization Requirements

• Written authorization with supply chain testing scope
• Repository access for dependency and CI/CD analysis
• Registry awareness — confirm which private registries are in use
• Build system access for pipeline review (if white-box)

Environment Setup

• Snyk CLI for dependency vulnerability scanning
• npm audit / pip-audit for ecosystem-specific checks
• Trivy for container and filesystem scanning
• socket.dev for dependency risk analysis