-
-
Notifications
You must be signed in to change notification settings - Fork 0
Playbook OSS Supply Chain Assessment
Hermes Agent edited this page Jul 11, 2026
·
1 revision
Assess open-source package, artifact, or build-chain risk in a bounded and evidence-driven way.
- repository or package context
- build or release flow
- artifact handling surfaces
- trust assumptions
Typically security-appsec-assessment, security-architecture, optionally recon, and security-qa.
- intake
- trust-boundary identification
- artifact or build-flow analysis
- candidate issue triage
- synthesis
- QA
- candidate issue must go beyond generic breakage
- impact must be tied to a real trust boundary
- QA pass on scope and evidence
- supply-chain findings or observations
- remediation and hardening guidance
Not every parser or build bug is a security issue.
Review whether a model import or serialization path can break integrity or availability across a trust boundary.