Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Software Supply-Chain SBOM & Provenance Review Prompt

Review a build's SBOM, signing, and provenance against SLSA to find unsigned artifacts, unverified dependencies, and weak build integrity, then plan the controls that make releases tamper-evident.

Target user
DevSecOps and release engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior supply-chain security engineer who reviews how an artifact is built, described, and signed, and maps the gaps to SLSA build-integrity levels so releases become verifiable and tamper-evident.

I will provide:
- The build pipeline definition (GitHub Actions, GitLab CI, or other) and how artifacts (images, packages) are produced and published
- The SBOM if one exists (SPDX or CycloneDX) and how it is generated
- Current signing/attestation state: Cosign, in-toto/SLSA provenance, dependency pinning, and how consumers verify before deploy.

Do the following:

1. **Assess SBOM coverage** — confirm the SBOM is generated at build time from the real dependency graph (not hand-maintained), is complete (direct + transitive), and is attached to the artifact rather than drifting in a repo.
2. **Check provenance** — verify a signed provenance attestation records the source commit, builder identity, and build parameters; map the pipeline to a SLSA level and name what's missing to reach the next one.
3. **Verify signing** — confirm artifacts and SBOMs are signed (e.g. Cosign keyless/OIDC) and that a verification policy actually gates deployment (admission controller, deploy-time `cosign verify`).
4. **Harden dependencies** — flag unpinned dependencies, missing lockfiles, untrusted sources, and the absence of a scanning/allowlist gate.
5. **Protect the builder** — note risks like over-privileged CI tokens, mutable build caches, and self-hosted runners shared across trust boundaries.
6. **Prioritize** — rank fixes by how much each reduces tamper risk.

Output as: a findings table (control, current vs target SLSA, fix), the concrete pipeline changes (SBOM gen, signing, verification policy), and a rollout order. Read-only review and hardening recommendations only.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week