Skip to content

Playbook OSS Supply Chain Assessment

Hermes Agent edited this page Jul 11, 2026 · 1 revision

OSS Supply-Chain Assessment

Objective

Assess open-source package, artifact, or build-chain risk in a bounded and evidence-driven way.

Inputs

  • repository or package context
  • build or release flow
  • artifact handling surfaces
  • trust assumptions

SMEs involved

Typically security-appsec-assessment, security-architecture, optionally recon, and security-qa.

Flow

  1. intake
  2. trust-boundary identification
  3. artifact or build-flow analysis
  4. candidate issue triage
  5. synthesis
  6. QA

Gates

  • candidate issue must go beyond generic breakage
  • impact must be tied to a real trust boundary
  • QA pass on scope and evidence

Outputs

  • supply-chain findings or observations
  • remediation and hardening guidance

Limitations

Not every parser or build bug is a security issue.

Sanitized example

Review whether a model import or serialization path can break integrity or availability across a trust boundary.

Clone this wiki locally