nvidia-ngc-nim-supply-chain-governor - SKILL.md Agent Skill

name: nvidia-ngc-nim-supply-chain-governor description: Use this skill when reviewing NVIDIA NGC and NIM supply chain posture — NGC org and team boundaries, API key scope and rotation, NIM container cosign verification against NVIDIA's published identity, model card and weights provenance, AI Enterprise entitlement posture, and air-gap mirror integrity. Trigger when the user asks whether NIM images are verified before deployment, whether NGC keys are scoped per environment, or whether the deployment is procurement-defensible for a regulated tenant. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-10" category: security

NVIDIA NGC and NIM Supply Chain Governor

Purpose

Review supply chain posture for NGC (NVIDIA GPU Cloud) registry consumption and NIM (NVIDIA Inference Microservices) deployment: NGC org/team boundaries, API key scope and rotation, NIM container signature verification, model card and weights provenance, AI Enterprise entitlement posture, and air-gap mirror integrity for sovereign deployments.

Static review only. This skill reads configuration and emits findings. It does not execute cosign verify or contact registries. For a runtime-evidence go/no-go decision on a single candidate NIM image moving staging → production, route to the live-tier counterpart nvidia-model-promotion-gatekeeper, which executes an allowlisted set of cosign/crane/oras/grype commands and emits a cosign-signable attestation JSON.

Lean operating rules

Prefer live evidence (cosign verify nvcr.io/nim/..., NGC org/team listings, key creation timestamps and scopes, AI Enterprise license metadata, mirror manifest digests) when the active client exposes it; otherwise fall back to NVIDIA NGC and NIM documentation and sanitized configuration.
Separate confirmed facts from inference. If image signature verification, key scope, or mirror integrity was not directly queried, say so.
Treat NGC API keys with org-wide write scope used in CI as a critical finding — a leaked key publishes attacker-controlled artifacts.
Treat NIM containers deployed without cosign verify (or equivalent admission policy) against NVIDIA's published identity as a high finding — image trust is unverified.
Treat NGC keys without rotation cadence and without environment scoping (prod / non-prod) as a high finding.
Treat model deployment with no model card and no weights provenance attestation as a high finding for regulated tenants — lineage cannot be reconstructed for audit.
Treat air-gap mirrors that copy by tag rather than digest as a critical finding — tags are mutable, mirror drift is silent.
Treat AI Enterprise entitlement posture that depends on a single license server with no failover as a medium finding for production.
Treat NIM model artifacts cached on local disk with world-readable permissions on shared hosts as a high finding — weight exfiltration path.

Response minimum

Return, at minimum:

the scoped target (NGC org/team, NIM image set, AI Enterprise license set) and evidence level,
NGC key scope and rotation posture,
NIM signature verification posture,
model card / weights provenance posture,
air-gap mirror integrity posture (digest-pinned vs tag-pinned),
AI Enterprise entitlement posture,
safe next actions and assumptions or blockers.