---
title: Supply Chain Risk Scoring
category: product
entity_type: skill
price: $15
canonical: https://forgehouse.ai/skills/supply-chain-risk-scoring/
lang: en
hreflang_alt: https://forgehouse.ai/tr/skiller/supply-chain-risk-scoring/
last_updated: 2026-06-20
---

# Supply Chain Risk Scoring

> Score npm/PyPI/Cargo dependency risk before install/upgrade using bomdrift SBOM diff…

Score the supply-chain risk of npm, PyPI and Cargo dependencies at the moment they change in a pull request, before install or upgrade merges. It answers a different question than scan-everything tools: not 'what vulnerabilities exist' but 'what changed in this diff and should I worry?' Six signals run together: SBOM diff, typosquat detection, maintainer-age scoring, CVE prioritization and license policy, to catch the long-game attacks that traditional scanners miss.

## Use cases
- Gating a Renovate or Dependabot auto-merge PR with a risk score
- Catching a typosquatted transitive dependency before it lands
- Flagging a freshly-created maintainer account on a critical package
- Reviewing a major version bump that skips semver ranges
- Enforcing a license policy that denies GPL/AGPL in commercial code
- Producing a byte-deterministic SBOM diff as a sticky PR comment

## Benefits
- See exactly what changed in a dependency diff before you merge it
- Stop typosquat and maintainer-takeover attacks that pure CVE scanners miss
- Block auto-merge bots when a package suddenly changes its maintainer set
- Keep noise low with findings-only comments and CRITICAL/HIGH thresholds

## What’s included
- A defensive CLI wrapper that snapshots SBOMs, diffs them and posts a sticky PR comment
- A CycloneDX SBOM diff parser that classifies added/removed/upgraded/downgraded components
- A Bayesian maintainer-risk scorer that flags young accounts and recent ownership changes
- A Jaro-Winkler typosquat detector across eight package ecosystems
- A ready CI workflow plus a checked-in policy file for fail-on rules and license allow/deny
- A twelve-item anti-pattern list and a setup verification checklist

## Who it’s for
Teams reviewing dependency upgrade PRs who want a diff-time gate alongside their scan-everything tooling.

## How it runs
The xz backdoor came in through a dependency change that looked routine. This gate diffs byte-deterministic SBOMs on every lockfile PR, runs six risk signals from CVE-with-EPSS to typosquat distance, and blocks the merge instead of advising.
1. The gate triggers automatically on any PR that touches a lockfile or manifest: package.json, package-lock, pnpm-lock, requirements.txt, Pipfile.lock, Cargo files.
2. Phase 1 generates byte-deterministic CycloneDX SBOMs for both the base branch and the PR head, so the comparison is exact, not approximate.
3. Phase 2 diffs the two SBOMs and runs 6 signals on every changed dependency: CVE lookup with EPSS exploit probability and CISA KEV flags, Jaro-Winkler typosquat detection against a top-1000 package catalog at the 0.85 threshold, Bayesian maintainer-age scoring (the xz pattern: young account, sudden activity, ownership transfer), SPDX license policy (GPL/AGPL denied), multi-major version jumps and recently-published flags.
4. Phase 3 uploads SARIF to the code scanning tab and upserts a single sticky PR comment; findings-only mode keeps clean PRs silent so the signal never drowns in noise.
5. The verdict is enforced, not advisory: a critical CVE or typosquat hit exits with failure and blocks the merge, which also stops Renovate and Dependabot auto-merge from waving risky bumps through.
6. Exceptions go through expiring suppressions only (a suppress comment with a date, 90 days maximum) plus a monthly review, so accepted risk re-surfaces instead of fossilizing.

## FAQ
### We already run Dependabot and a vulnerability scanner. Does this overlap?
It answers a different question. Scanners tell you what vulnerabilities exist across your whole inventory; this scores what changed in a single PR diff, typosquatted packages, fresh maintainer accounts, license flips, the long-game attacks CVE scanners miss. It is designed to run alongside your existing tooling, including gating the Renovate or Dependabot auto-merge itself.

### How does it actually catch a typosquat or a maintainer takeover?
Two of the six signals handle that: a Jaro-Winkler string-distance detector compares new dependency names across eight package ecosystems, and a Bayesian maintainer-risk scorer flags young accounts and recent ownership changes, the xz pattern. Both run on the SBOM diff, so they fire on the exact components a PR introduces.

### Does it continuously scan my entire dependency tree?
No, and that is deliberate. It is a diff-time gate: it scores only what changed in a pull request before merge. Continuous full-inventory scanning, runtime monitoring, and vulnerability management stay with your scan-everything tools; this fills the gap they leave at the moment of change.

## Price
$15, one-time, no subscription. VAT included.

Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)