docs(security): sample supply chain analysis for webapp01 (custom agent output)

[emmanuelknafo]

Summary

⚠️ Sample findings — These reports are demonstration outputs from the custom SupplyChainSecurityAgent subagent defined in this repository. They illustrate what the custom DevSecOps agents produce when run against src/webapp01. Treat all "secrets" and CVEs shown as illustrative sample data unless independently verified against live systems.

Closes #55

What's in this PR

This PR adds four supply chain security artifacts under security-reports/ generated by running the custom SupplyChainSecurityAgent against src/webapp01:

File	Purpose
supply-chain-report.md	Full analysis: secrets, SCA, SBOM, license compliance, governance
pr-ready-fixes.md	Diff-ready remediations with implementation steps
engineering-backlog.md	18 sprint-ready work items with acceptance criteria
quick-reference.md	Executive summary

Custom Agent Used

SupplyChainSecurityAgent — one of several custom security subagents in this repo:

• SecurityAgent — orchestrator
• SecurityReviewerAgent — OWASP Top 10 in app code
• IaCSecurityAgent — Terraform / Bicep / ARM
• PipelineSecurityAgent — GitHub Actions / Azure DevOps
• SupplyChainSecurityAgent — secrets, SCA, SBOM, supply chain (this PR)

Sample Findings Overview

Demonstration findings from the agent run on src/webapp01:

Severity	Count	Examples
🔴 Critical	3	Hardcoded Azure Storage key, GitHub token, SQL password
🟠 High	4	CVE-2024-0056 (Microsoft.Data.SqlClient 5.0.2), missing packages.lock.json, .gitignore gaps
🟡 Medium	3	Outdated Newtonsoft.Json / System.Text.Json, unpinned Dockerfile bases
🟢 Low	1	Azure.Identity minor version lag

Out of Scope

These domains are owned by other custom agents and not addressed here:

• Application code vulnerabilities (log injection, ReDoS) → SecurityReviewerAgent
• IaC misconfigurations → IaCSecurityAgent
• Workflow hardening → PipelineSecurityAgent

Validation

• Reports are documentation only — no executable code or config changes
• No production secrets included (all values are sample/illustrative)
• No changes to application source, infrastructure, or workflows
• Branch follows convention: feature/55-supply-chain-security-analysis-webapp01

Reviewer Notes

Reviewers should evaluate this PR as a demonstration of agent output quality rather than as production security guidance. Real remediation should be tracked in follow-up issues after independent verification.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 4f7fff4.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None