Supply Chain Security
SKILL.md
Supply Chain Security (供应链安全)
Instructions
- 先盘点依赖来源与版本策略
- 先填写 Required Inputs(仓库白名单、CVSS 门槛、签章策略)
- 创建 SCA 扫描与审核流程
- 一次只强化一个供应链节点
- 完成后对照 Quick Checklist
When to Use
- 项目依赖多、更新频繁
- 发布前需要风险检查
- 需要创建依赖治理标准
Example Prompts
- "请设计依赖版本锁定与更新策略"
- "帮我加上 SCA 扫描与风险门槛"
- "请创建密钥与签章管理规范"
- "帮我配置 Gradle Dependency Verification"
Workflow
- 先确认 Required Inputs(来源白名单、风险阈值、owner)
- 创建依赖来源与版本锁定策略
- 加入 SCA 扫描与审核流程
- 设置签章与密钥管理规范
- 将风险门槛纳入 CI Gate 并执行 Supply Chain Gate
Practical Notes (2026)
- 版本锁定与审核是最小安全基线
- 依赖更新与安全修补分开处理
- SCA 结果必须有处置规则
- 高危漏洞必须有 SLA 与责任人,不能只有报告
- 依赖来源、签章、校验三者必须同时满足才允许发布
Minimal Template
目标:
依赖来源:
来源白名单:
CVSS 阈值:
版本策略:
SCA 门槛:
验收: Quick Checklist
Required Inputs (执行前输入)
仓库白名单(允许的 Maven 源)CVSS 阈值(阻挡标准)owner(安全处置负责人)签章策略(发布签章与密钥轮换)依赖更新节奏(常规升级与安全补丁节奏)
Deliverables (完成后交付物)
Dependency Verification配置SCA 扫描流水线与阻挡规则签章与密钥管理规范(含轮换流程)风险处置流程(SLA + 升级路径)供应链审计记录(可回溯)
Supply Chain Gate (验收门槛)
./gradlew --write-verification-metadata sha256,pgp help
./gradlew dependencyCheckAnalyze
./gradlew build
若
dependencyCheckAnalyze发现超过阈值漏洞,必须在合并前完成修补或例外审批。
Dependency Governance
Gradle Dependency Verification
# 生成 verification-metadata.xml
./gradlew --write-verification-metadata sha256,pgp help
<!-- gradle/verification-metadata.xml -->
<verification-metadata>
<configuration>
<verify-metadata>true</verify-metadata>
<verify-signatures>true</verify-signatures>
</configuration>
<components>
<component group="com.google.dagger" name="hilt-android" version="<project-verified-version>">
<artifact name="hilt-android-<project-verified-version>.aar">
<sha256 value="abc123..." />
</artifact>
</component>
</components>
</verification-metadata>
Version Catalog 作为单一来源
# gradle/libs.versions.toml — 所有依赖版本集中管理
[versions]
kotlin = "<project-verified-version>"
hilt = "<project-verified-version>"
retrofit = "<project-verified-version>"
[libraries]
hilt-android = { group = "com.google.dagger", name = "hilt-android", version.ref = "hilt" }
retrofit = { group = "com.squareup.retrofit2", name = "retrofit", version.ref = "retrofit" }
依赖来源白名单
// settings.gradle.kts — 限制仓库来源
dependencyResolutionManagement {
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
repositories {
google()
mavenCentral()
// 禁止 jcenter()、jitpack 等未审核来源
}
}
SCA / Vulnerability Scanning
OWASP Dependency-Check
// build.gradle.kts
plugins {
id("org.owasp.dependencycheck") version "<project-verified-version>"
}
dependencyCheck {
failBuildOnCVSS = 7.0f // CVSS >= 7 阻挡构建
formats = listOf("HTML", "JSON")
suppressionFile = "config/owasp-suppressions.xml"
}
# 运行扫描
./gradlew dependencyCheckAnalyze
Suppressions 配置
<!-- config/owasp-suppressions.xml -->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>误报:此 CVE 不影响 Android 使用场景</notes>
<cve>CVE-2023-XXXXX</cve>
</suppress>
</suppressions>
Renovate / Dependabot 自动更新
文件名:renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"],
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["major-update"],
"automerge": false
},
{
"matchUpdateTypes": ["minor", "patch"],
"matchPackagePatterns": ["androidx.*", "com.google.*"],
"automerge": true,
"automergeType": "pr"
}
],
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security"]
}
}
# .github/dependabot.yml (替代方案)
version: 2
updates:
- package-ecosystem: "gradle"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "dependencies"
Signing & Secrets Management
Keystore 安全管理
// build.gradle.kts — 从环境变量读取签章信息
android {
signingConfigs {
create("release") {
storeFile = file(System.getenv("KEYSTORE_PATH") ?: "release.keystore")
storePassword = System.getenv("KEYSTORE_PASSWORD") ?: ""
keyAlias = System.getenv("KEY_ALIAS") ?: ""
keyPassword = System.getenv("KEY_PASSWORD") ?: ""
}
}
buildTypes {
release {
signingConfig = signingConfigs.getByName("release")
}
}
}
GitHub Actions Secrets
# .github/workflows/release.yml
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Decode Keystore
run: echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > release.keystore
- name: Build Release
env:
KEYSTORE_PATH: release.keystore
KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
run: ./gradlew assembleRelease
- name: Clean Keystore
if: always()
run: rm -f release.keystore
.gitignore 安全规则
# 密钥与敏感文件
*.keystore
*.jks
local.properties
google-services.json
secrets.properties
CI Gate Integration
完整安全 Pipeline
# .github/workflows/security-gate.yml
name: Security Gate
on:
pull_request:
branches: [main]
jobs:
dependency-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: OWASP Dependency Check
run: ./gradlew dependencyCheckAnalyze
- name: Check for High Vulnerabilities
run: |
HIGH=$(jq '[.dependencies[].vulnerabilities[]? | select(.cvssv3?.baseScore >= 7)] | length' build/reports/dependency-check-report.json)
if [ "$HIGH" -gt 0 ]; then
echo "Found $HIGH high/critical vulnerabilities"
exit 1
fi
- name: Verify Dependencies
run: ./gradlew --dependency-verification strict help
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: build/reports/dependency-check-report.html
风险处置规则
| CVSS 分数 | 等级 | 处置 |
|---|---|---|
| 9.0 - 10.0 | Critical | 立即修补,阻挡合并 |
| 7.0 - 8.9 | High | 48 小时内修补,阻挡合并 |
| 4.0 - 6.9 | Medium | 标注 Issue,本 Sprint 修补 |
| 0.1 - 3.9 | Low | 标注 Issue,下次更新时处理 |
Quick Checklist
- Required Inputs 已填写并冻结(白名单/CVSS/owner)
- Version Catalog 作为依赖单一来源
- Dependency Verification 启用(sha256 + pgp)
- 仓库来源白名单(禁止未审核来源)
- OWASP Dependency-Check 纳入 CI(CVSS >= 7 阻挡)
- Renovate/Dependabot 自动更新配置
- Keystore 与 Secrets 不进版控
- 签章流程可追踪(CI 环境变量注入)
- 风险处置规则明确且有 SLA
- Supply Chain Gate 已执行并通过