Back to Details

testing-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

testing-security

安全测试自动化

Purpose

目的

This skill automates security testing by integrating DAST tools (OWASP ZAP, Nuclei), SAST tools (Semgrep, Bandit), SCA tools (Snyk, Trivy), and secrets scanners (detect-secrets, TruffleHog) to identify vulnerabilities in code, applications, and secrets.
本Skill通过集成DAST工具(OWASP ZAP、Nuclei)、SAST工具(Semgrep、Bandit)、SCA工具(Snyk、Trivy)以及密钥扫描工具(detect-secrets、TruffleHog)来自动化安全测试,识别代码、应用程序和密钥中的漏洞。

When to Use

适用场景

Use this skill during CI/CD pipelines, before deployments, or for periodic audits; ideal for projects with web apps, APIs, or codebases in languages like Python, Java, or JavaScript where security flaws could lead to breaches.
可在CI/CD流水线中、部署前或定期审计时使用;尤其适用于包含Web应用、API或使用Python、Java、JavaScript等语言的代码库的项目,这些项目中的安全漏洞可能导致数据泄露。

Key Capabilities

核心能力

  • DAST: Run OWASP ZAP for active scanning of web apps, detecting issues like XSS or SQLi; use Nuclei for custom vulnerability templates.
  • SAST: Execute Semgrep for pattern-based code analysis (e.g., YAML rulesets) or Bandit for Python-specific flaws like insecure imports.
  • SCA: Leverage Snyk to scan dependencies for known CVEs via SBOM analysis; use Trivy for container image scanning with vulnerability databases.
  • Secrets Detection: Apply detect-secrets to scan files for patterns like API keys; use TruffleHog for Git history scans to find exposed secrets.
  • Integration: Combine tools in a single workflow, e.g., run SAST on code changes and DAST on staging environments.
  • DAST:运行OWASP ZAP对Web应用进行主动扫描,检测XSS或SQL注入等问题;使用Nuclei加载自定义漏洞模板。
  • SAST:执行Semgrep进行基于模式的代码分析(例如YAML规则集),或使用Bandit检测Python特有的漏洞(如不安全导入)。
  • SCA:借助Snyk通过SBOM分析扫描依赖项中的已知CVE;使用Trivy结合漏洞数据库扫描容器镜像。
  • 密钥检测:使用detect-secrets扫描文件中的API密钥等模式;通过TruffleHog扫描Git历史记录以查找暴露的密钥。
  • 集成:将多个工具整合到单一工作流中,例如在代码变更时运行SAST,在预发布环境中运行DAST。

Usage Patterns

使用模式

Always configure tools via environment variables for authentication (e.g., 
$ZAP_API_KEY
for OWASP ZAP, 
$SNYK_TOKEN
for Snyk). Start with a baseline scan on new projects, then automate in scripts.
  • Pattern 1: For CI/CD, trigger SAST on pull requests and DAST on builds; example: Use GitHub Actions to run Semgrep on diffed files.
  • Pattern 2: For local testing, chain tools sequentially—first run Trivy on Docker images, then Nuclei on URLs.
  • Example 1: To scan a Python repo for SAST and secrets: Install tools, run Bandit on files, then detect-secrets; output results to a JSON report for parsing.
  • Example 2: For a web app, perform DAST: Start OWASP ZAP in daemon mode, use 
    zap-cli
    to scan a URL, and follow with Nuclei for specific exploits.
始终通过环境变量配置工具的认证信息(例如OWASP ZAP的
$ZAP_API_KEY
、Snyk的
$SNYK_TOKEN
)。在新项目中先进行基准扫描,再将其自动化到脚本中。
  • 模式1:在CI/CD中,针对拉取请求触发SAST,针对构建触发DAST;示例:使用GitHub Actions对差异文件运行Semgrep。
  • 模式2:本地测试时,按顺序链式调用工具——先使用Trivy扫描Docker镜像,再使用Nuclei扫描URL。
  • 示例1:要扫描Python仓库的SAST和密钥问题:安装工具,对文件运行Bandit,再运行detect-secrets;将结果输出为JSON报告以便解析。
  • 示例2:针对Web应用执行DAST:以守护进程模式启动OWASP ZAP,使用
    zap-cli
    扫描URL,随后使用Nuclei检测特定漏洞。

Common Commands/API

常用命令/API

Use these exact commands in scripts or terminals; ensure dependencies are installed (e.g., via pip or Docker).
  • OWASP ZAP (DAST): Start with 
    zap.sh -daemon -port 8080
    , then scan via 
    zap-cli -p 8080 quick-scan --spider https://target.com --report html
    . API endpoint: POST to 
    /JSON/core/action/newSession/
    with 
    $ZAP_API_KEY
    .
  • Nuclei (DAST): Run 
    nuclei -t templates/ -u https://target.com -o results.txt
    ; use config file like 
    nuclei-config.yaml
    with severity levels.
  • Semgrep (SAST): Execute 
    semgrep --config p/default --lang python .
    ; customize with a 
    .semgrep.yml
    file: 
    rules: - id: no-os-system patterns: - pattern: os.system(...)
    .
  • Bandit (SAST): Command: 
    bandit -r /path/to/code -f json
    ; ignore paths via 
    -x tests/
    .
  • Snyk (SCA): Authenticate with 
    $SNYK_TOKEN
    , then 
    snyk test --file=requirements.txt
    ; API: GET 
    https://snyk.io/api/v1/org/{orgId}/projects
    for project lists.
  • Trivy (SCA): Scan image: 
    trivy image myimage:latest --exit-code 1 --severity CRITICAL
    ; config via 
    .trivy.yaml
    with 
    ignoreUnfixed: true
    .
  • detect-secrets (Secrets): Run 
    detect-secrets scan > .secrets.baseline
    ; use with Git hook: 
    detect-secrets hook --baseline .secrets.baseline
    .
  • TruffleHog (Secrets): Command: 
    trufflehog git https://github.com/repo --since-commit HEAD~1
    ; filter with 
    --regex
    for patterns.
在脚本或终端中使用以下确切命令;确保已安装依赖项(例如通过pip或Docker)。
  • OWASP ZAP(DAST):先执行
    zap.sh -daemon -port 8080
    启动,再通过
    zap-cli -p 8080 quick-scan --spider https://target.com --report html
    进行扫描。API端点:携带
    $ZAP_API_KEY
    /JSON/core/action/newSession/
    发送POST请求。
  • Nuclei(DAST):运行
    nuclei -t templates/ -u https://target.com -o results.txt
    ;使用包含严重级别的配置文件
    nuclei-config.yaml
  • Semgrep(SAST):执行
    semgrep --config p/default --lang python .
    ;通过
    .semgrep.yml
    文件自定义规则:
    rules: - id: no-os-system patterns: - pattern: os.system(...)
  • Bandit(SAST):命令:
    bandit -r /path/to/code -f json
    ;通过
    -x tests/
    忽略指定路径。
  • Snyk(SCA):使用
    $SNYK_TOKEN
    认证,然后执行
    snyk test --file=requirements.txt
    ;API:发送GET请求到
    https://snyk.io/api/v1/org/{orgId}/projects
    获取项目列表。
  • Trivy(SCA):扫描镜像:
    trivy image myimage:latest --exit-code 1 --severity CRITICAL
    ;通过
    .trivy.yaml
    配置
    ignoreUnfixed: true
  • detect-secrets(密钥检测):运行
    detect-secrets scan > .secrets.baseline
    ;结合Git钩子使用:
    detect-secrets hook --baseline .secrets.baseline
  • TruffleHog(密钥检测):命令:
    trufflehog git https://github.com/repo --since-commit HEAD~1
    ;使用
    --regex
    过滤特定模式。

Integration Notes

集成说明

Integrate via scripts or orchestration tools like Jenkins or GitHub Actions; pass outputs as JSON for chaining. For auth, set env vars like 
$TRIVY_USERNAME
and 
$TRIVY_PASSWORD
. Use Docker images (e.g., 
owasp/zap2docker-stable
) for isolated runs. Config formats: YAML for Semgrep rules (e.g., 
{ patterns: [pattern: "regex"] }
), JSON for Snyk reports. Ensure tools are version-pinned (e.g., Semgrep v0.100.0) to avoid breaking changes.
通过脚本或Jenkins、GitHub Actions等编排工具进行集成;将输出以JSON格式传递以便链式调用。认证时,设置
$TRIVY_USERNAME
$TRIVY_PASSWORD
等环境变量。使用Docker镜像(例如
owasp/zap2docker-stable
)实现隔离运行。配置格式:Semgrep规则使用YAML(例如
{ patterns: [pattern: "regex"] }
),Snyk报告使用JSON。确保工具版本固定(例如Semgrep v0.100.0)以避免破坏性变更。

Error Handling

错误处理

Check exit codes after each command (e.g., Semgrep returns non-zero on findings); parse errors from stdout, like OWASP ZAP's JSON responses for "error" keys. Common issues: Network errors in DAST—retry with 
zap-cli --retries 3
; authentication failures—verify env vars (e.g., if 
$SNYK_TOKEN
is invalid, output "Auth error"). Log all outputs to files and handle via try-catch in scripts, e.g., in Bash: 
zap-cli quick-scan || echo "Scan failed: $?" >> error.log
. For API calls, check HTTP status codes (e.g., 401 for unauthorized).
在每个命令执行后检查退出码(例如Semgrep在发现问题时返回非零值);从标准输出中解析错误,例如OWASP ZAP JSON响应中的"error"键。常见问题:DAST中的网络错误——使用
zap-cli --retries 3
重试;认证失败——验证环境变量(例如
$SNYK_TOKEN
无效时会输出"Auth error")。将所有输出记录到文件中,并在脚本中通过try-catch处理,例如Bash中:
zap-cli quick-scan || echo "Scan failed: $?" >> error.log
。对于API调用,检查HTTP状态码(例如401表示未授权)。

Graph Relationships

关联关系

  • Related to: "testing" cluster (e.g., links to unit-testing or integration-testing skills for combined workflows).
  • Depends on: OWASP ZAP for DAST, Semgrep for SAST.
  • Integrates with: Snyk API for SCA, TruffleHog for secrets in version control systems.
  • 关联:属于“测试”集群(例如与单元测试或集成测试Skill关联以实现组合工作流)。
  • 依赖:DAST依赖OWASP ZAP,SAST依赖Semgrep。
  • 集成:与Snyk API集成实现SCA,与TruffleHog集成以扫描版本控制系统中的密钥。",