production-ready
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseProduction Ready
生产就绪准备
Comprehensive production readiness, security hardening, and professional release preparation for any project.
为任何项目提供全面的生产就绪检查、安全加固和专业的发布准备服务。
When to Use
适用场景
- Before deploying to production for the first time
- After major changes before release
- When conducting security audits
- When open-sourcing a project
- During compliance reviews
- When onboarding to a new codebase
- 首次部署到生产环境前
- 重大变更后、发布前
- 开展安全审计时
- 项目开源时
- 合规审查期间
- 接手新代码库时
Quick Start
快速开始
First, ask the user which mode:
Which level of audit do you need?
1. **Quick** - Fast CI-suitable checks (~2 min)
- Secret scanning
- Critical vulnerabilities only
2. **Security** - Deep security audit (~10 min)
- All vulnerability severities
- SBOM generation
- Configuration hardening
3. **Full** - Comprehensive audit (~15 min)
- All security checks
- Documentation review
- CI/CD validation
- Monitoring setup check首先,询问用户需要的审计模式:
Which level of audit do you need?
1. **Quick** - Fast CI-suitable checks (~2 min)
- Secret scanning
- Critical vulnerabilities only
2. **Security** - Deep security audit (~10 min)
- All vulnerability severities
- SBOM generation
- Configuration hardening
3. **Full** - Comprehensive audit (~15 min)
- All security checks
- Documentation review
- CI/CD validation
- Monitoring setup checkStep 1: Detect Tech Stack
步骤1:检测技术栈
Before scanning, identify the project's tech stack and dependencies:
bash
undefined扫描前,先识别项目的技术栈和依赖项:
bash
undefinedDetect project files to determine stack
Detect project files to determine stack
ls -la | grep -E "package.json|requirements.txt|Cargo.toml|go.mod|Gemfile|pom.xml|build.gradle|composer.json|pubspec.yaml|*.csproj"
| File Detected | Stack | Primary Security Tools |
|---------------|-------|------------------------|
| `package.json` | Node.js/JavaScript | npm audit, snyk, retire.js |
| `requirements.txt` / `pyproject.toml` | Python | pip-audit, safety, bandit |
| `Cargo.toml` | Rust | cargo-audit, cargo-deny |
| `go.mod` | Go | govulncheck, gosec |
| `Gemfile` | Ruby | bundle-audit, brakeman |
| `pom.xml` / `build.gradle` | Java | OWASP Dependency-Check, SpotBugs |
| `composer.json` | PHP | composer audit, phpstan |
| `*.csproj` | .NET | dotnet list package --vulnerable |
| `pubspec.yaml` | Dart/Flutter | dart pub outdated |ls -la | grep -E "package.json|requirements.txt|Cargo.toml|go.mod|Gemfile|pom.xml|build.gradle|composer.json|pubspec.yaml|*.csproj"
| 检测到的文件 | 技术栈 | 主要安全工具 |
|---------------|-------|------------------------|
| `package.json` | Node.js/JavaScript | npm audit, snyk, retire.js |
| `requirements.txt` / `pyproject.toml` | Python | pip-audit, safety, bandit |
| `Cargo.toml` | Rust | cargo-audit, cargo-deny |
| `go.mod` | Go | govulncheck, gosec |
| `Gemfile` | Ruby | bundle-audit, brakeman |
| `pom.xml` / `build.gradle` | Java | OWASP Dependency-Check, SpotBugs |
| `composer.json` | PHP | composer audit, phpstan |
| `*.csproj` | .NET | dotnet list package --vulnerable |
| `pubspec.yaml` | Dart/Flutter | dart pub outdated |Step 2: Recommend Security Tools
步骤2:推荐安全工具
Based on detected stack, recommend appropriate tools. ALWAYS ask the user before installing any tools.
根据检测到的技术栈推荐合适的工具。安装任何工具前务必先询问用户。
Universal Tools (All Projects)
通用工具(所有项目)
Free/Open-Source (Industry Standard):
| Tool | Purpose | Install Command |
|---|---|---|
| gitleaks | Secret detection in git history | |
| trufflehog | Deep secret scanning with verification | |
| syft | SBOM generation | |
| grype | Vulnerability scanner (multi-language) | |
| trivy | Comprehensive security scanner | |
| semgrep | Static analysis (SAST) | |
Paid/Enterprise (State of the Art):
| Tool | Purpose | Notes |
|---|---|---|
| Snyk | Full-spectrum security (SCA, SAST, containers) | Free tier available, enterprise features paid |
| Sonatype Nexus Lifecycle | Enterprise dependency management | Industry leader in SCA |
| Checkmarx | Enterprise SAST/DAST | Comprehensive enterprise solution |
| Veracode | Application security platform | Enterprise-grade scanning |
| GitHub Advanced Security | Integrated security (CodeQL, Dependabot) | Native GitHub integration |
免费/开源(行业标准):
| 工具 | 用途 | 安装命令 |
|---|---|---|
| gitleaks | Git历史记录中的密钥检测 | |
| trufflehog | 带验证的深度密钥扫描 | |
| syft | SBOM生成 | |
| grype | 漏洞扫描(多语言支持) | |
| trivy | 综合安全扫描器 | |
| semgrep | 静态代码分析(SAST) | |
付费/企业级(业界领先):
| 工具 | 用途 | 说明 |
|---|---|---|
| Snyk | 全频谱安全(SCA、SAST、容器安全) | 提供免费版,企业功能需付费 |
| Sonatype Nexus Lifecycle | 企业级依赖管理 | SCA领域的行业领导者 |
| Checkmarx | 企业级SAST/DAST | 综合企业级解决方案 |
| Veracode | 应用安全平台 | 企业级扫描能力 |
| GitHub Advanced Security | 集成式安全(CodeQL、Dependabot) | GitHub原生集成 |
Language-Specific Tools
特定语言工具
JavaScript/Node.js:
- Free: ,
npm audit, retire.js, eslint-plugin-securityyarn audit - Paid: Snyk (free tier), Socket.dev
Python:
Go:
- Free: govulncheck, gosec
- Paid: Snyk
Rust:
- Free: cargo-audit, cargo-deny
Ruby:
- Free: bundle-audit, brakeman
- Paid: Snyk
Java:
- Free: OWASP Dependency-Check, SpotBugs
- Paid: Sonatype, Snyk
JavaScript/Node.js:
- 免费:,
npm audit, retire.js, eslint-plugin-securityyarn audit - 付费:Snyk(免费版可用), Socket.dev
Python:
Go:
- 免费:govulncheck, gosec
- 付费:Snyk
Rust:
Ruby:
- 免费:bundle-audit, brakeman
- 付费:Snyk
Java:
- 免费:OWASP Dependency-Check, SpotBugs
- 付费:Sonatype, Snyk
Step 3: Ask User to Install Tools
步骤3:询问用户是否安装工具
CRITICAL: ALWAYS ask the user before installing any tools.
Present the recommended tools based on detected stack:
I've detected your project uses [STACK]. Here are the recommended security scanning tools:
**Required (Universal):**
- gitleaks - Secret detection
- grype - Vulnerability scanning
- syft - SBOM generation
**Stack-Specific ([STACK]):**
- [tool1] - [purpose]
- [tool2] - [purpose]
**Optional (Enhanced Coverage):**
- trivy - Comprehensive scanner
- semgrep - Static analysis
Would you like me to install these tools?
1. Yes, install all recommended tools
2. Yes, but only the required universal tools
3. Let me select which ones to install
4. No, I'll install them manuallyIf user selects option 1, 2, or 3: Proceed with installation using the appropriate package manager, then continue to Step 4.
If user selects option 4: Provide installation commands and proceed to Step 4 when they confirm tools are installed.
重要提示:安装任何工具前务必先询问用户。
根据检测到的技术栈展示推荐工具:
I've detected your project uses [STACK]. Here are the recommended security scanning tools:
**Required (Universal):**
- gitleaks - Secret detection
- grype - Vulnerability scanning
- syft - SBOM generation
**Stack-Specific ([STACK]):**
- [tool1] - [purpose]
- [tool2] - [purpose]
**Optional (Enhanced Coverage):**
- trivy - Comprehensive scanner
- semgrep - Static analysis
Would you like me to install these tools?
1. Yes, install all recommended tools
2. Yes, but only the required universal tools
3. Let me select which ones to install
4. No, I'll install them manually如果用户选择选项1、2或3: 使用相应的包管理器进行安装,然后继续步骤4。
如果用户选择选项4: 提供安装命令,待用户确认工具已安装后再继续步骤4。
Step 4: Run Security Scans
步骤4:运行安全扫描
Execute scans based on installed tools and audit mode:
根据已安装的工具和审计模式执行扫描:
Quick Mode
快速模式
bash
undefinedbash
undefinedSecret scanning
Secret scanning
gitleaks detect --source=. --no-banner
gitleaks detect --source=. --no-banner
Critical vulnerabilities only
Critical vulnerabilities only
grype dir:. --fail-on=critical --only-fixed
undefinedgrype dir:. --fail-on=critical --only-fixed
undefinedSecurity Mode (includes Quick)
安全模式(包含快速模式内容)
bash
undefinedbash
undefinedDeep secret scan with verification
Deep secret scan with verification
trufflehog filesystem . --only-verified
trufflehog filesystem . --only-verified
All high+ vulnerabilities
All high+ vulnerabilities
grype dir:. --fail-on=high --only-fixed
grype dir:. --fail-on=high --only-fixed
Generate SBOM
Generate SBOM
syft dir:. -o cyclonedx-json=sbom.json
syft dir:. -o cyclonedx-json=sbom.json
Static analysis (if semgrep installed)
Static analysis (if semgrep installed)
semgrep --config auto --error
undefinedsemgrep --config auto --error
undefinedFull Mode (includes Security)
完整模式(包含安全模式内容)
All security checks plus documentation, CI/CD, and observability validation.
所有安全检查,加上文档、CI/CD和可观测性验证。
Step 5: Generate Report
步骤5:生成报告
Reports MUST be written to directory.
docs/reports/Create the directory if it doesn't exist:
bash
mkdir -p docs/reportsGenerate a markdown report with today's date:
bash
undefined报告必须保存到目录下。
docs/reports/如果目录不存在则创建:
bash
mkdir -p docs/reports生成带当日日期的Markdown报告:
bash
undefinedReport filename format
Report filename format
REPORT_FILE="docs/reports/security-audit-$(date +%Y-%m-%d).md"
undefinedREPORT_FILE="docs/reports/security-audit-$(date +%Y-%m-%d).md"
undefinedReport Template
报告模板
The generated report should follow this structure:
markdown
undefined生成的报告应遵循以下结构:
markdown
undefinedSecurity Audit Report
Security Audit Report
Project: [project-name]
Date: [YYYY-MM-DD]
Audit Mode: [Quick|Security|Full]
Auditor: Claude Code (production-ready skill)
Project: [project-name]
Date: [YYYY-MM-DD]
Audit Mode: [Quick|Security|Full]
Auditor: Claude Code (production-ready skill)
Executive Summary
Executive Summary
- Total Checks: X
- Passed: X
- Failed: X
- Warnings: X
- Total Checks: X
- Passed: X
- Failed: X
- Warnings: X
Tech Stack Detected
Tech Stack Detected
- Primary Language: [language]
- Package Manager: [manager]
- Frameworks: [frameworks]
- Primary Language: [language]
- Package Manager: [manager]
- Frameworks: [frameworks]
Tools Used
Tools Used
| Tool | Version | Purpose |
|---|---|---|
| gitleaks | X.X.X | Secret detection |
| grype | X.X.X | Vulnerability scanning |
| ... | ... | ... |
| Tool | Version | Purpose |
|---|---|---|
| gitleaks | X.X.X | Secret detection |
| grype | X.X.X | Vulnerability scanning |
| ... | ... | ... |
Findings
Findings
Critical Issues (Must Fix)
Critical Issues (Must Fix)
- [Issue Title]
- Severity: Critical
- Location: [file:line]
- Description: [description]
- Remediation: [steps to fix]
- [Issue Title]
- Severity: Critical
- Location: [file:line]
- Description: [description]
- Remediation: [steps to fix]
High Severity Issues
High Severity Issues
...
...
Medium/Low Severity Issues
Medium/Low Severity Issues
...
...
Dependency Vulnerabilities
Dependency Vulnerabilities
| Package | Current | Fixed In | Severity | CVE |
|---|---|---|---|---|
| ... | ... | ... | ... | ... |
| Package | Current | Fixed In | Severity | CVE |
|---|---|---|---|---|
| ... | ... | ... | ... | ... |
SBOM Summary
SBOM Summary
- Total Packages: X
- Direct Dependencies: X
- Transitive Dependencies: X
- SBOM Location:
docs/reports/sbom-[date].json
- Total Packages: X
- Direct Dependencies: X
- Transitive Dependencies: X
- SBOM Location:
docs/reports/sbom-[date].json
Recommendations
Recommendations
- [Prioritized recommendation]
- [Prioritized recommendation] ...
- [Prioritized recommendation]
- [Prioritized recommendation] ...
Next Steps
Next Steps
- Fix critical vulnerabilities
- Review and remediate high-severity issues
- Update dependencies with known fixes
- Re-run audit after fixes
Generated by production-ready skill v2.0.0
undefined- Fix critical vulnerabilities
- Review and remediate high-severity issues
- Update dependencies with known fixes
- Re-run audit after fixes
Generated by production-ready skill v2.0.0
undefinedAudit Mode Checklists
审计模式检查清单
Quick Mode Checklist
快速模式检查清单
- Secrets: Run
gitleaks detect --source=. - Critical Vulns: Run
grype dir:. --fail-on=critical - Config Basics: Verify .gitignore includes ,
.env,*.key*.pem - Generate Report: Write findings to
docs/reports/security-audit-[date].md
- 密钥检测:执行
gitleaks detect --source=. - 严重漏洞检查:执行
grype dir:. --fail-on=critical - 基础配置验证:确认.gitignore包含、
.env、*.key*.pem - 生成报告:将检查结果写入
docs/reports/security-audit-[date].md
Security Mode Checklist (includes Quick)
安全模式检查清单(包含快速模式内容)
- All vulnerabilities:
grype dir:. --fail-on=high - SBOM generation:
syft dir:. -o cyclonedx-json=docs/reports/sbom-[date].json - Secret deep scan:
trufflehog filesystem . --only-verified - Static analysis: (if installed)
semgrep --config auto - Dependency review: Check for outdated/unmaintained packages
- Configuration hardening:
- No hardcoded localhost/ports in config files
- Environment variables for all secrets
- .env.example exists with placeholder values
- Docker security (if applicable):
- Non-root user specified
- Pinned base image versions
- .dockerignore exists
- Generate Report: Write comprehensive findings to
docs/reports/security-audit-[date].md
- 全漏洞扫描:
grype dir:. --fail-on=high - SBOM生成:
syft dir:. -o cyclonedx-json=docs/reports/sbom-[date].json - 深度密钥扫描:
trufflehog filesystem . --only-verified - 静态代码分析:(若已安装)
semgrep --config auto - 依赖审查:检查是否存在过时/无人维护的包
- 配置加固:
- 配置文件中不存在硬编码的localhost/端口
- 所有密钥均通过环境变量管理
- 存在文件,包含占位符值
.env.example
- Docker安全检查(若适用):
- 指定了非root用户
- 基础镜像版本已固定
- 存在文件
.dockerignore
- 生成报告:将全面检查结果写入
docs/reports/security-audit-[date].md
Full Mode Checklist (includes Security)
完整模式检查清单(包含安全模式内容)
Documentation:
- README.md exists with setup instructions
- LICENSE file present
- CHANGELOG.md maintained
- SECURITY.md with vulnerability reporting process
- CONTRIBUTING.md (for open source)
CI/CD:
- CI pipeline configured (GitHub Actions, GitLab CI, etc.)
- Automated tests run on PR/push
- Security scanning in pipeline
- Build artifacts validated
Observability:
- Health check endpoint (or
/health)/healthz - Structured logging configured
- Error tracking setup (Sentry, etc.)
- Metrics collection (if applicable)
Operational:
- Environment-specific configs separated
- Backup/restore procedures documented
- Rollback plan documented
- On-call runbook (for critical services)
Generate Report: Write comprehensive findings to
docs/reports/security-audit-[date].md文档检查:
- 存在README.md,包含安装说明
- 存在LICENSE文件
- CHANGELOG.md已维护
- 存在SECURITY.md,包含漏洞上报流程
- 存在CONTRIBUTING.md(针对开源项目)
CI/CD检查:
- 已配置CI流水线(GitHub Actions、GitLab CI等)
- PR/推送时自动运行测试
- 流水线中包含安全扫描步骤
- 构建产物已验证
可观测性检查:
- 存在健康检查端点(或
/health)/healthz - 已配置结构化日志
- 已设置错误追踪(Sentry等)
- 已配置指标收集(若适用)
运维检查:
- 已分离不同环境的配置
- 已记录备份/恢复流程
- 已记录回滚计划
- 已准备值班手册(针对关键服务)
生成报告:将全面检查结果写入
docs/reports/security-audit-[date].mdWeb Search for Latest Tools
搜索最新工具
If the detected tech stack requires specialized tools not listed above, search the internet for current (2025+) industry-standard security scanners for that specific technology. Prioritize:
- Tools recommended by official language/framework documentation
- OWASP-recommended tools
- Tools with active maintenance (commits in last 6 months)
- Tools with significant GitHub stars (>1000) and community adoption
如果检测到的技术栈需要上述未列出的专用工具,搜索当前(2025年后)该技术的行业标准安全扫描器,优先选择:
- 官方语言/框架文档推荐的工具
- OWASP推荐的工具
- 维护活跃的工具(过去6个月有提交记录)
- GitHub星标量高(>1000)且社区广泛采用的工具
Security Standards Reference
安全标准参考
Based on OWASP Top 10 2025:
| Risk | Key Mitigations |
|---|---|
| A01: Broken Access Control | Deny by default, validate permissions server-side |
| A02: Security Misconfiguration | Automated hardening, remove defaults, security headers |
| A03: Supply Chain | SBOM, dependency scanning, signed builds |
| A04: Injection | Parameterized queries, input validation |
| A05: Cryptographic Failures | TLS everywhere, strong algorithms, no hardcoded keys |
基于OWASP Top 10 2025:
| 风险项 | 关键缓解措施 |
|---|---|
| A01: Broken Access Control | 默认拒绝访问,在服务端验证权限 |
| A02: Security Misconfiguration | 自动化加固,移除默认配置,配置安全头 |
| A03: Supply Chain | 生成SBOM,依赖扫描,签名构建 |
| A04: Injection | 使用参数化查询,验证输入 |
| A05: Cryptographic Failures | 全链路使用TLS,采用强算法,不硬编码密钥 |
Common Issues & Fixes
常见问题与修复方案
Secrets Found
检测到密钥
bash
undefinedbash
undefinedRotate the compromised credential immediately
Rotate the compromised credential immediately
Then remove from git history:
Then remove from git history:
git filter-branch --force --index-filter
"git rm --cached --ignore-unmatch PATH/TO/FILE"
--prune-empty --tag-name-filter cat -- --all
"git rm --cached --ignore-unmatch PATH/TO/FILE"
--prune-empty --tag-name-filter cat -- --all
git filter-branch --force --index-filter
"git rm --cached --ignore-unmatch PATH/TO/FILE"
--prune-empty --tag-name-filter cat -- --all
"git rm --cached --ignore-unmatch PATH/TO/FILE"
--prune-empty --tag-name-filter cat -- --all
Or use BFG Repo-Cleaner (faster):
Or use BFG Repo-Cleaner (faster):
bfg --delete-files "*.env"
undefinedbfg --delete-files "*.env"
undefinedVulnerable Dependencies
存在漏洞的依赖包
bash
undefinedbash
undefinedUpdate to patched version
Update to patched version
npm update PACKAGE # or
pip install PACKAGE --upgrade # or
cargo update PACKAGE
npm update PACKAGE # 或
pip install PACKAGE --upgrade # 或
cargo update PACKAGE
If no patch available, evaluate alternatives
If no patch available, evaluate alternatives
undefinedundefinedExit Criteria
验收标准
The project is production-ready when:
- Zero high/critical vulnerabilities with available fixes
- Zero hardcoded secrets detected
- All required documentation present
- CI/CD pipeline passes all security checks
- SBOM generated and stored in
docs/reports/ - Health checks operational
- Security audit report generated in
docs/reports/security-audit-[date].md
项目满足以下条件时即为生产就绪:
- 所有有可用修复方案的高/严重漏洞已修复
- 未检测到硬编码密钥
- 所有必需文档已存在
- CI/CD流水线通过所有安全检查
- SBOM已生成并存储在目录
docs/reports/ - 健康检查已正常运行
- 安全审计报告已生成并保存到
docs/reports/security-audit-[date].md
References
参考资料
See directory for:
references/- - Detailed research findings
research.md - - Authoritative sources and links
sources.md
请查看目录下的以下文件:
references/- - 详细研究结果
research.md - - 权威来源与链接
sources.md