docs: add dependency reachability and manifest gates

[catcherintheroad-hub]

Summary

Implements the dependency-scanning coverage gaps described in #1143.

What changed

• Expands manifest detection coverage for Python pyproject.toml, NuGet/.NET, Composer, Ruby, Dart, and Elixir manifests/lockfiles.
• Adds manifest-lockfile drift as a first-class dependency risk.
• Adds non-registry dependency review for git, URL, tarball, path, archive, and mutable-ref dependencies.
• Adds install-script and lifecycle-hook review to the core procedure.
• Adds reachability/VEX to vulnerability triage and output.
• Updates EPSS handling to consider both probability and percentile, and warns against treating KEV absence as a downgrade signal.
• Updates license review to parse SPDX expressions/exceptions and scope copyleft risk to distributed/runtime components.
• Reframes PyPI hyphen/underscore/dot handling as PEP 503 normalization rather than automatic typosquatting.
• Adds references for SPDX license expressions, CycloneDX VEX, OSV-Scanner, and PEP 503 name normalization.

Why

The existing skill already had useful CVSS/EPSS/KEV and SBOM guidance, but it could over-report SPDX-expression/license cases and miss high-risk supply-chain patterns such as git/URL/tarball dependencies, transitive install scripts, manifest-lockfile drift, and non-reachable CVEs with VEX evidence.

Validation

• git diff --check
• Markdown code fence balance check
• dependency scanning content marker check
• prompt-injection pattern scan from the repository workflow logic
• frontmatter sweep from the repository workflow logic
• SPDX expressions, CycloneDX VEX, OSV-Scanner, and PEP 503 reference URL reachability check

Bounty

This is intended as a Skill Improvement / Improver contribution for #1143. Payment details can be provided privately after maintainer acceptance.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b1a5a770f3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Cover low-EPSS medium vulnerabilities with unknown reachability

When a medium-severity CVE has low EPSS, is not in KEV, and reachability is reachable or unknown, the matrix no longer has any matching row; the previous Medium + low EPSS + no KEV case was removed and this replacement only covers proven Not affected / not reachable findings. Most dependency scanners cannot prove non-reachability, so following this skill leaves common medium findings without a priority or action.

Useful? React with 👍 / 👎.