Add Supply Chain Security Specialist agent for vulnerability analysis and reporting

[Copilot]

This PR implements a new Supply Chain Security Specialist agent that provides comprehensive dependency vulnerability analysis across multiple package ecosystems. The agent focuses purely on detection and reporting without making any code modifications.

Key Features

🔍 Multi-Ecosystem Vulnerability Scanning

• Supports Node.js, Python, Rust, Go, Java, PHP, Ruby, .NET, Swift and more
• Parses dependency manifests (package.json, requirements.txt, Cargo.lock, go.mod, etc.)
• Discovers both direct and transitive dependencies

🛡️ Comprehensive Vulnerability Database Integration

• OSV.dev: Primary source for open-source vulnerabilities with batch API support
• GitHub Advisory Database: CVSS scores, severity ratings, and patch information
• National Vulnerability Database (NVD): Official CVE details and CVSS metrics
• Snyk Database: Optional integration for early vulnerability disclosure

📊 Risk-Based Prioritization

• CVSS severity scoring (Critical/High/Medium/Low)
• Exploit maturity assessment using CISA KEV catalog
• Patch availability analysis with upgrade path recommendations
• Multi-factor vulnerability scoring system

📋 Analysis and Reporting Only

• Creates detailed security issues for vulnerabilities requiring attention
• Generates comprehensive Markdown reports with executive summaries
• Provides actionable remediation guidance without making code changes
• Coordinates with other agents for actual remediation work

Implementation Details

Agent Configuration:

• Runs weekly on Mondays at 9 AM UTC for proactive monitoring
• 20-minute timeout for comprehensive repository scanning
• Read-only permissions for security analysis (contents: read, pull-requests: read)
• Limited bash commands for analysis tools only (git, curl, python, pip)

API Integration:

• Respectful rate limiting (5-50 requests/30s for NVD based on API key)
• Environment variable support for API credentials (GITHUB_TOKEN, NVD_API_KEY, SNYK_TOKEN)
• Caching strategies to minimize redundant API calls

Team Coordination:

• Uses shared team issue system for multi-agent collaboration
• Coordinates with existing agents for vulnerability remediation
• Focuses on detection while other agents handle fixes

Example Output

The agent generates comprehensive security reports like:

# Supply Chain Security Report

## Executive Summary
📊 **Total Vulnerabilities Found:** 12
- 🔴 **CRITICAL:** 2  
- 🟠 **HIGH:** 4
- 🟡 **MEDIUM:** 5

## Prioritized Action Plan
1. 🚨 **IMMEDIATE - Upgrade Express.js**
   - Current: 4.16.1 → Target: 4.17.3+
   - Addresses: CVE-2022-24999 (Critical RCE)

This agent provides enterprise-grade supply chain security monitoring focused on analysis and reporting, enabling informed decision-making for vulnerability remediation.

Fixes #5.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[pelikhan]

Only focus on analysis, no fixes

[pelikhan]

@copilot only focus on detection, not fixing the code.
Update persmissions accordingly.

[pelikhan]

@copilot merge origin/main and update syntax

[Copilot]

Only focus on analysis, no fixes

Updated the agent to focus purely on vulnerability analysis and reporting. Removed all automated remediation capabilities and pull request creation. Commit 062d037.

@copilot merge origin/main and update syntax

Updated YAML syntax to match the standard format used in other workflows. The main branch merge wasn't accessible due to authentication, but the syntax has been aligned with existing patterns. Commit 8a9a6f9.

[Copilot]

@copilot only focus on detection, not fixing the code.
Update persmissions accordingly.

Updated to focus only on vulnerability detection and analysis. Removed code fixing capabilities and updated permissions to read-only. Restricted bash commands to analysis tools only. Commit 062d037.