awesome-claude-code-security-compliance-suite
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese🔒 Security & Compliance Skills Suite
🔒 安全与合规技能套件
Skill by ara.so — Security Skills collection.
A comprehensive security and compliance skill suite derived from hesreallyhim/awesome-claude-code, providing specialized commands and workflows for security audits, vulnerability management, GDPR/SOC2/ISO27001 compliance, and incident response.
由ara.so提供的Skill — 安全技能合集。
这是一个源自hesreallyhim/awesome-claude-code的全面安全与合规技能套件,为安全审计、漏洞管理、GDPR/SOC2/ISO27001合规性检查以及事件响应提供专用命令和工作流。
What This Project Does
本项目功能
This skill suite provides 10 specialized security commands and 5 multi-step compliance workflows with structured output UI for:
- Vulnerability Scanning: OWASP Top-10 analysis, dependency CVE detection
- Compliance Auditing: GDPR, SOC2, ISO27001 gap analysis
- Security Operations: Threat modeling, penetration testing, IAM audits
- Incident Response: Breach response playbooks and investigation workflows
- Policy Generation: Privacy policies, security documentation
All commands use consistent structured output with progress tracking, findings tables, and prioritized action plans.
该技能套件提供10个专用安全命令和5个多步骤合规工作流,并带有结构化输出界面,适用于:
- 漏洞扫描:OWASP Top-10分析、依赖项CVE检测
- 合规审计:GDPR、SOC2、ISO27001差距分析
- 安全运维:威胁建模、渗透测试、IAM审计
- 事件响应:数据泄露响应手册和调查工作流
- 策略生成:隐私政策、安全文档
所有命令均采用一致的结构化输出,包含进度跟踪、发现结果表格和优先级行动计划。
Installation
安装
Quick Install (Local Skills Directory)
快速安装(本地技能目录)
bash
undefinedbash
undefinedCreate Claude skills directory if it doesn't exist
如果Claude技能目录不存在则创建
mkdir -p ~/.claude/skills
mkdir -p ~/.claude/skills
Clone the skill suite
克隆技能套件
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
~/.claude/skills/awesome-claude-code-security
~/.claude/skills/awesome-claude-code-security
git clone https://github.com/sparkfinderoven/r01-hesreallyhim-awesome-claude-code-security.git
~/.claude/skills/awesome-claude-code-security
~/.claude/skills/awesome-claude-code-security
Activate in Claude Code session
在Claude Code会话中激活
In your IDE with Claude Code, run:
在装有Claude Code的IDE中运行:
/read ~/.claude/skills/awesome-claude-code-security/SKILL.md
undefined/read ~/.claude/skills/awesome-claude-code-security/SKILL.md
undefinedManual Installation
手动安装
bash
undefinedbash
undefinedClone the repository
克隆仓库
Navigate to project directory
进入项目目录
cd r01-hesreallyhim-awesome-claude-code-security
cd r01-hesreallyhim-awesome-claude-code-security
Read the skill documentation
阅读技能文档
cat SKILL.md
undefinedcat SKILL.md
undefinedVerification
验证
Verify installation by checking available commands:
bash
undefined通过检查可用命令来验证安装:
bash
undefinedList all security commands
列出所有安全命令
ls -la ~/.claude/skills/awesome-claude-code-security/
ls -la ~/.claude/skills/awesome-claude-code-security/
Expected output:
预期输出:
- SKILL.md (this file)
- SKILL.md(本文件)
- README.md (documentation)
- README.md(文档)
- commands/ (individual command definitions)
- commands/(单个命令定义)
- workflows/ (multi-step workflow definitions)
- workflows/(多步骤工作流定义)
undefinedundefinedCore Commands
核心命令
1. OWASP Top-10 Security Scan
1. OWASP Top-10安全扫描
Scans code for OWASP Top-10 vulnerabilities with CVSS scores and remediation guidance.
bash
/owasp-scan <target_directory>扫描代码中的OWASP Top-10漏洞,提供CVSS评分和修复指导。
bash
/owasp-scan <target_directory>Options
选项
/owasp-scan src/ --format json
/owasp-scan . --severity critical,high
/owasp-scan api/ --output report.md
**Example Output Structure:**
╔══════════════════════════════════════════════════╗
║ OWASP Security Scan — ./src/api ║
╠══════════════════════════════════════════════════╣
║ Files scanned ✓ 47 ║
║ OWASP checks ✓ 14 ║
║ Findings ✗ 8 issues ║
╚══════════════════════════════════════════════════╝
FINDINGS (severity: desc)
┌──────┬──────────────────────────────┬──────────┬──────────────┐
│ Sev │ Vulnerability │ CVSS │ File │
├──────┼──────────────────────────────┼──────────┼──────────────┤
│ 🔴 │ SQL Injection │ 9.8 │ users.js:42 │
│ 🔴 │ JWT None Algorithm │ 9.1 │ auth.js:18 │
│ 🟠 │ CORS Misconfiguration │ 6.5 │ server.js:12 │
└──────┴──────────────────────────────┴──────────┴──────────────┘
REMEDIATION
• SQL Injection: Use parameterized queries or ORM
• JWT None: Validate algorithm in token verification
• CORS: Restrict origins to known domains
undefined/owasp-scan src/ --format json
/owasp-scan . --severity critical,high
/owasp-scan api/ --output report.md
**示例输出结构:**
╔══════════════════════════════════════════════════╗
║ OWASP安全扫描 — ./src/api ║
╠══════════════════════════════════════════════════╣
║ 已扫描文件 ✓ 47 ║
║ OWASP检查项 ✓ 14 ║
║ 发现漏洞 ✗ 8个问题 ║
╚══════════════════════════════════════════════════╝
发现结果(按严重程度降序)
┌──────┬──────────────────────────────┬──────────┬──────────────┐
│ 严重程度 │ 漏洞类型 │ CVSS │ 文件 │
├──────┼──────────────────────────────┼──────────┼──────────────┤
│ 🔴 │ SQL注入 │ 9.8 │ users.js:42 │
│ 🔴 │ JWT None算法漏洞 │ 9.1 │ auth.js:18 │
│ 🟠 │ CORS配置错误 │ 6.5 │ server.js:12 │
└──────┴──────────────────────────────┴──────────┴──────────────┘
修复建议
• SQL注入:使用参数化查询或ORM
• JWT None:在令牌验证中校验算法
• CORS:将源限制为可信域名
undefined2. Dependency CVE Scanner
2. 依赖项CVE扫描器
Scans project dependencies for known CVEs with exploitability scores.
bash
/dep-cve扫描项目依赖项中的已知CVE漏洞,提供可利用性评分。
bash
/dep-cveOptions
选项
/dep-cve --scope production
/dep-cve --output json > cve-report.json
/dep-cve --min-cvss 7.0
/dep-cve --show-paths
**Example for Node.js project:**
```bash/dep-cve --scope production
/dep-cve --output json > cve-report.json
/dep-cve --min-cvss 7.0
/dep-cve --show-paths
**Node.js项目示例:**
```bashScans package.json and package-lock.json
扫描package.json和package-lock.json
/dep-cve --scope full
/dep-cve --scope full
Output includes:
输出包含:
- CVE IDs with CVSS scores
- 带CVSS评分的CVE编号
- Affected package versions
- 受影响的包版本
- Upgrade paths
- 升级路径
- Exploitability assessment
- 可利用性评估
**Expected Output:**
╔══════════════════════════════════════════════════╗
║ CVE Dependency Scan ║
╠══════════════════════════════════════════════════╣
║ Dependencies checked ✓ 234 ║
║ CVEs found ✗ 12 ║
║ Critical ✗ 3 ║
║ High ⚠ 5 ║
║ Medium ⚠ 4 ║
╚══════════════════════════════════════════════════╝
┌─────────────┬──────────┬─────────────┬──────────────┬─────────────┐
│ Package │ CVE │ CVSS │ Installed │ Fixed In │
├─────────────┼──────────┼─────────────┼──────────────┼─────────────┤
│ lodash │ CVE-2021 │ 9.8 🔴 │ 4.17.15 │ 4.17.21 │
│ axios │ CVE-2022 │ 8.1 🔴 │ 0.21.0 │ 0.21.4 │
│ express │ CVE-2022 │ 7.5 🟠 │ 4.17.1 │ 4.18.2 │
└─────────────┴──────────┴─────────────┴──────────────┴─────────────┘
UPGRADE COMMANDS
npm install lodash@4.17.21
npm install axios@0.21.4
npm install express@4.18.2
undefined
**预期输出:**
╔══════════════════════════════════════════════════╗
║ CVE依赖项扫描 ║
╠══════════════════════════════════════════════════╣
║ 已检查依赖项 ✓ 234 ║
║ 发现CVE漏洞 ✗ 12 ║
║ 严重级漏洞 ✗ 3 ║
║ 高危级漏洞 ⚠ 5 ║
║ 中危级漏洞 ⚠ 4 ║
╚══════════════════════════════════════════════════╝
┌─────────────┬──────────┬─────────────┬──────────────┬─────────────┐
│ 包名称 │ CVE编号 │ CVSS评分 │ 已安装版本 │ 修复版本 │
├─────────────┼──────────┼─────────────┼──────────────┼─────────────┤
│ lodash │ CVE-2021 │ 9.8 🔴 │ 4.17.15 │ 4.17.21 │
│ axios │ CVE-2022 │ 8.1 🔴 │ 0.21.0 │ 0.21.4 │
│ express │ CVE-2022 │ 7.5 🟠 │ 4.17.1 │ 4.18.2 │
└─────────────┴──────────┴─────────────┴──────────────┴─────────────┘
升级命令
npm install lodash@4.17.21
npm install axios@0.21.4
npm install express@4.18.2
undefined3. GDPR Compliance Audit
3. GDPR合规审计
Maps data flows, identifies consent gaps, and generates DPA checklist.
bash
/gdpr-audit <application_path>映射数据流,识别同意缺口,并生成DPA检查表。
bash
/gdpr-audit <application_path>Options
选项
/gdpr-audit . --data-map
/gdpr-audit src/ --consent-analysis
/gdpr-audit . --full-report --output gdpr-audit.pdf
**Example Analysis:**
╔══════════════════════════════════════════════════╗
║ GDPR Compliance Audit ║
╠══════════════════════════════════════════════════╣
║ Data flows mapped ✓ 24 ║
║ Personal data types ✓ 8 ║
║ Consent gaps ✗ 5 ║
║ DPA requirements ⚠ 12/15 met ║
╚══════════════════════════════════════════════════╝
DATA FLOW MAP
User Registration → Database (PII: email, name, phone)
↳ Consent: ✗ Missing explicit opt-in
↳ Retention: ⚠ No deletion policy defined
↳ Encryption: ✓ AES-256 at rest
Analytics Pipeline → Third-party (IP address, user agent)
↳ Consent: ✗ No cookie banner
✳ DPA: ⚠ No Data Processing Agreement on file
COMPLIANCE GAPS
🔴 Critical:
• No cookie consent mechanism implemented
• Missing data retention policies in privacy policy
• No user data deletion endpoint
🟠 High:
• DPA missing for analytics provider
• DSAR (data subject access request) workflow undefined
undefined/gdpr-audit . --data-map
/gdpr-audit src/ --consent-analysis
/gdpr-audit . --full-report --output gdpr-audit.pdf
**示例分析:**
╔══════════════════════════════════════════════════╗
║ GDPR合规审计 ║
╠══════════════════════════════════════════════════╣
║ 已映射数据流 ✓ 24 ║
║ 个人数据类型 ✓ 8 ║
║ 同意缺口 ✗ 5 ║
║ DPA要求达标情况 ⚠ 12/15 ║
╚══════════════════════════════════════════════════╝
数据流映射
用户注册 → 数据库(PII: 邮箱、姓名、电话)
↳ 同意情况:✗ 缺失明确的选择加入机制
↳ 保留策略:⚠ 未定义删除政策
↳ 加密:✓ 静态数据采用AES-256加密
分析管道 → 第三方(IP地址、用户代理)
↳ 同意情况:✗ 无Cookie提示横幅
✳ DPA:⚠ 未存档数据处理协议
合规缺口
🔴 严重:
• 未实现Cookie同意机制
• 隐私政策中缺失数据保留政策
• 无用户数据删除端点
🟠 高危:
• 分析提供商缺失DPA
• DSAR(数据主体访问请求)工作流未定义
undefined4. SOC2 Readiness Assessment
4. SOC2就绪评估
Performs gap analysis across all 5 Trust Service Criteria.
bash
/soc2-readiness针对所有5项信任服务标准执行差距分析。
bash
/soc2-readinessOptions
选项
/soc2-readiness --criteria security,availability
/soc2-readiness --type type2
/soc2-readiness --output xlsx
**Example Output:**
╔══════════════════════════════════════════════════╗
║ SOC 2 Type II Readiness Assessment ║
╠══════════════════════════════════════════════════╣
║ Security ⚠ 65% ready ║
║ Availability ✓ 90% ready ║
║ Confidentiality ✗ 45% ready ║
║ Processing Integrity ⚠ 70% ready ║
║ Privacy ✗ 50% ready ║
╚══════════════════════════════════════════════════╝
SECURITY GAPS
✗ CC6.1: No background checks policy
✗ CC6.6: Missing logical access reviews (quarterly)
⚠ CC7.2: Incomplete system monitoring
AVAILABILITY GAPS
⚠ A1.2: RTO/RPO not documented in DR plan
REMEDIATION TIMELINE
Quick Wins (1-2 weeks):
• Document RTO/RPO targets
• Implement access review schedule
Medium-term (1-3 months):
• Establish background check policy
• Deploy SIEM for continuous monitoring
Strategic (3-6 months):
• Conduct third-party penetration test
• Implement data classification framework
undefined/soc2-readiness --criteria security,availability
/soc2-readiness --type type2
/soc2-readiness --output xlsx
**示例输出:**
╔══════════════════════════════════════════════════╗
║ SOC 2 Type II就绪评估 ║
╠══════════════════════════════════════════════════╣
║ 安全标准 ⚠ 65%就绪 ║
║ 可用性标准 ✓ 90%就绪 ║
║ 保密性标准 ✗ 45%就绪 ║
║ 处理完整性标准 ⚠ 70%就绪 ║
║ 隐私标准 ✗ 50%就绪 ║
╚══════════════════════════════════════════════════╝
安全标准缺口
✗ CC6.1:无背景调查政策
✗ CC6.6:缺失逻辑访问定期审查(季度)
⚠ CC7.2:系统监控不完整
可用性标准缺口
⚠ A1.2:灾难恢复计划中未记录RTO/RPO
修复时间表
快速完成(1-2周):
• 记录RTO/RPO目标
• 实施访问审查计划
中期(1-3个月):
• 制定背景调查政策
• 部署SIEM进行持续监控
战略规划(3-6个月):
• 开展第三方渗透测试
• 实施数据分类框架
undefined5. Threat Modeling (STRIDE)
5. 威胁建模(STRIDE)
Generates STRIDE threat model for architecture diagrams.
bash
/threat-model <architecture_file>为架构图生成STRIDE威胁模型。
bash
/threat-model <architecture_file>Options
选项
/threat-model architecture.png --framework stride
/threat-model system-design.md --risk-matrix
/threat-model . --auto-discover
**Example for Web Application:**
╔══════════════════════════════════════════════════╗
║ STRIDE Threat Model ║
╠══════════════════════════════════════════════════╣
║ Components analyzed ✓ 8 ║
║ Data flows ✓ 12 ║
║ Threats identified ✗ 18 ║
╚══════════════════════════════════════════════════╝
ARCHITECTURE COMPONENTS
• Web Application (React SPA)
• API Gateway (nginx)
• Backend API (Node.js/Express)
• Database (PostgreSQL)
• Auth Service (OAuth2)
• External Payment Gateway
THREAT ANALYSIS (STRIDE)
[S]poofing
🔴 API Gateway: No mutual TLS for backend communication
Impact: High | Likelihood: Medium
Mitigation: Implement mTLS between gateway and API
[T]ampering
🟠 Database: SQL injection possible via user input
Impact: Critical | Likelihood: Low
Mitigation: Use parameterized queries
[R]epudiation
🟡 API: Insufficient audit logging for sensitive operations
Impact: Medium | Likelihood: Medium
Mitigation: Implement comprehensive audit trail
[I]nformation Disclosure
🔴 Payment Flow: PCI data logged in application logs
Impact: Critical | Likelihood: Medium
Mitigation: Implement PCI-compliant logging filters
[D]enial of Service
🟠 API: No rate limiting on public endpoints
Impact: High | Likelihood: High
Mitigation: Implement rate limiting middleware
[E]levation of Privilege
🔴 Auth: JWT lacks role claims validation
Impact: Critical | Likelihood: Medium
Mitigation: Add RBAC middleware with role enforcement
RISK MATRIX
Impact →
Likelihood │ Low Medium High Critical
───────────┼───────────────────────────────────
High │ DoS
Medium │ Repud. Spoof InfoDisc, EoP
Low │ Tamper
undefined/threat-model architecture.png --framework stride
/threat-model system-design.md --risk-matrix
/threat-model . --auto-discover
**Web应用示例:**
╔══════════════════════════════════════════════════╗
║ STRIDE威胁模型 ║
╠══════════════════════════════════════════════════╣
║ 已分析组件 ✓ 8 ║
║ 数据流 ✓ 12 ║
║ 识别威胁 ✗ 18 ║
╚══════════════════════════════════════════════════╝
架构组件
• Web应用(React SPA)
• API网关(nginx)
• 后端API(Node.js/Express)
• 数据库(PostgreSQL)
• 认证服务(OAuth2)
• 外部支付网关
威胁分析(STRIDE)
[S]poofing(假冒)
🔴 API网关:与后端通信无双向TLS
影响:高 | 可能性:中
缓解措施:在网关与API之间实现mTLS
[T]ampering(篡改)
🟠 数据库:用户输入可能导致SQL注入
影响:严重 | 可能性:低
缓解措施:使用参数化查询
[R]epudiation(否认)
🟡 API:敏感操作审计日志不足
影响:中 | 可能性:中
缓解措施:实现全面审计跟踪
[I]nformation Disclosure(信息泄露)
🔴 支付流程:PCI数据记录在应用日志中
影响:严重 | 可能性:中
缓解措施:实施符合PCI标准的日志过滤
[D]enial of Service(拒绝服务)
🟠 API:公共端点无速率限制
影响:高 | 可能性:高
缓解措施:实施速率限制中间件
[E]levation of Privilege(权限提升)
🔴 认证:JWT缺少角色声明验证
影响:严重 | 可能性:中
缓解措施:添加带有角色强制的RBAC中间件
风险矩阵
影响 →
可能性 │ 低 中 高 严重
───────────┼───────────────────────────────────
高 │ DoS
中 │ 否认 假冒 信息泄露、权限提升
低 │ 篡改
undefined6. Penetration Test Report Generator
6. 渗透测试报告生成器
Structures penetration test findings with executive summary and remediation.
bash
/pentest-report <findings_file>结构化渗透测试结果,包含执行摘要和修复建议。
bash
/pentest-report <findings_file>Options
选项
/pentest-report findings.json --template executive
/pentest-report scan-results/ --format pdf
/pentest-report . --cvss-threshold 7.0
**Example Report Structure:**
╔══════════════════════════════════════════════════╗
║ Penetration Test Report ║
║ Target: api.example.com ║
║ Date: 2024-01-15 ║
╠══════════════════════════════════════════════════╣
║ Critical findings ✗ 4 ║
║ High findings ✗ 7 ║
║ Medium findings ⚠ 12 ║
║ Low/Info ✓ 8 ║
╚══════════════════════════════════════════════════╝
EXECUTIVE SUMMARY
The penetration test identified 31 findings across the web application
and API infrastructure. 4 critical vulnerabilities require immediate
remediation, including SQL injection and authentication bypass issues.
CRITICAL FINDINGS
-
SQL Injection in User Search (CVSS 9.8) Location: /api/v1/users/search?q=Description: User-supplied input in the 'q' parameter is directly concatenated into SQL query without sanitization.Proof of Concept: GET /api/v1/users/search?q=' OR '1'='1Remediation: • Implement parameterized queries • Add input validation and sanitization • Deploy WAF rules to detect SQL injection patternsTimeline: Immediate (< 48 hours)
-
Authentication Bypass via JWT None Algorithm (CVSS 9.1) Location: /api/v1/auth/verifyDescription: JWT library accepts 'none' algorithm, allowing unsigned tokens.Proof of Concept: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.Remediation: • Explicitly reject 'none' algorithm in JWT verification • Implement algorithm whitelist • Add token signature validation testsTimeline: Immediate (< 48 hours)
REMEDIATION ROADMAP
Immediate (< 48 hours):
✗ Fix SQL injection vulnerabilities
✗ Patch JWT authentication bypass
✗ Disable debug endpoints in production
Short-term (1-2 weeks):
⚠ Implement rate limiting
⚠ Add CSRF protection
⚠ Deploy Web Application Firewall
Medium-term (1 month):
⚠ Conduct security code review
⚠ Implement security headers (CSP, HSTS)
⚠ Add automated security scanning to CI/CD
undefined/pentest-report findings.json --template executive
/pentest-report scan-results/ --format pdf
/pentest-report . --cvss-threshold 7.0
**示例报告结构:**
╔══════════════════════════════════════════════════╗
║ 渗透测试报告 ║
║ 目标: api.example.com ║
║ 日期: 2024-01-15 ║
╠══════════════════════════════════════════════════╣
║ 严重漏洞 ✗ 4 ║
║ 高危漏洞 ✗ 7 ║
║ 中危漏洞 ⚠ 12 ║
║ 低危/信息类 ✓ 8 ║
╚══════════════════════════════════════════════════╝
执行摘要
渗透测试在Web应用和API基础设施中发现31个问题。其中4个严重漏洞需要立即修复,包括SQL注入和身份认证绕过问题。
严重漏洞
-
用户搜索功能中的SQL注入(CVSS 9.8) 位置: /api/v1/users/search?q=描述: 'q'参数中的用户输入直接拼接进SQL查询,未经过滤。验证示例: GET /api/v1/users/search?q=' OR '1'='1修复建议: • 实现参数化查询 • 添加输入验证和过滤 • 部署WAF规则检测SQL注入模式时间要求: 立即(< 48小时)
-
利用JWT None算法绕过身份认证(CVSS 9.1) 位置: /api/v1/auth/verify描述: JWT库接受'none'算法,允许未签名令牌。验证示例: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.修复建议: • 在JWT验证中明确拒绝'none'算法 • 实现算法白名单 • 添加令牌签名验证测试时间要求: 立即(< 48小时)
修复路线图
立即(< 48小时):
✗ 修复SQL注入漏洞
✗ 修补JWT身份认证绕过问题
✗ 禁用生产环境中的调试端点
短期(1-2周):
⚠ 实施速率限制
⚠ 添加CSRF保护
⚠ 部署Web应用防火墙
中期(1个月):
⚠ 开展安全代码审查
⚠ 实现安全头(CSP、HSTS)
⚠ 在CI/CD中添加自动化安全扫描
undefined7. Secret Detection (Pre-commit Hook)
7. 密钥检测(提交前钩子)
Configures pre-commit hooks for secret and credential detection.
bash
/secret-detect init配置提交前钩子以检测密钥和凭证。
bash
/secret-detect initOptions
选项
/secret-detect scan <directory>
/secret-detect --entropy-threshold 4.5
/secret-detect --add-patterns custom-patterns.json
**Example Configuration:**
```bash/secret-detect scan <directory>
/secret-detect --entropy-threshold 4.5
/secret-detect --add-patterns custom-patterns.json
**示例配置:**
```bashInitialize secret detection
初始化密钥检测
/secret-detect init
/secret-detect init
Creates .pre-commit-config.yaml
创建.pre-commit-config.yaml
**Generated `.pre-commit-config.yaml`:**
```yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- '--exclude-files'
- 'package-lock.json|.*\.min\.js'
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
args:
- '--verbose'
- '--redact'
**生成的`.pre-commit-config.yaml`:**
```yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args:
- '--baseline'
- '.secrets.baseline'
- '--exclude-files'
- 'package-lock.json|.*\.min\.js'
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
args:
- '--verbose'
- '--redact'Custom entropy scanning
自定义熵扫描
- repo: local hooks: - id: high-entropy-strings name: Detect high-entropy strings entry: python scripts/entropy-scan.py language: python args: ['--threshold', '4.5']
**Scan Example:**
```bash
/secret-detect scan src/- repo: local hooks: - id: high-entropy-strings name: Detect high-entropy strings entry: python scripts/entropy-scan.py language: python args: ['--threshold', '4.5']
**扫描示例:**
```bash
/secret-detect scan src/Output:
输出:
╔══════════════════════════════════════════════════╗
║ Secret Detection Scan ║
╠══════════════════════════════════════════════════╣
║ Files scanned ✓ 156 ║
║ Secrets detected ✗ 8 ║
║ High entropy strings ⚠ 3 ║
╚══════════════════════════════════════════════════╝
DETECTED SECRETS
┌─────────────────────┬──────────────────┬─────────────────┐
│ Type │ File │ Line │
├─────────────────────┼──────────────────┼─────────────────┤
│ AWS Access Key │ config.js │ 12 │
│ Private Key │ certs/dev.key │ 1 │
│ API Key (Generic) │ api-client.js │ 45 │
│ High Entropy String │ utils.js │ 89 │
└─────────────────────┴──────────────────┴─────────────────┘
REMEDIATION
• Move secrets to environment variables
• Add affected files to .gitignore
• Rotate exposed credentials immediately
• Review git history with: git log -p <file>
undefined╔══════════════════════════════════════════════════╗
║ 密钥检测扫描 ║
╠══════════════════════════════════════════════════╣
║ 已扫描文件 ✓ 156 ║
║ 检测到密钥 ✗ 8 ║
║ 高熵字符串 ⚠ 3 ║
╚══════════════════════════════════════════════════╝
检测到的密钥
┌─────────────────────┬──────────────────┬─────────────────┐
│ 类型 │ 文件 │ 行号 │
├─────────────────────┼──────────────────┼─────────────────┤
│ AWS访问密钥 │ config.js │ 12 │
│ 私钥 │ certs/dev.key │ 1 │
│ 通用API密钥 │ api-client.js │ 45 │
│ 高熵字符串 │ utils.js │ 89 │
└─────────────────────┴──────────────────┴─────────────────┘
修复建议
• 将密钥移至环境变量
• 将受影响文件添加到.gitignore
• 立即轮换暴露的凭证
• 使用以下命令查看Git历史: git log -p <file>
undefined8. IAM Least Privilege Audit
8. IAM最小权限审计
Audits IAM roles for over-permissions, stale access, and MFA gaps.
bash
/iam-audit审计IAM角色的过度权限、过期访问和MFA缺口。
bash
/iam-auditOptions
选项
/iam-audit --provider aws
/iam-audit --check-mfa
/iam-audit --stale-days 90
/iam-audit --output csv
**Example AWS IAM Audit:**
╔══════════════════════════════════════════════════╗
║ IAM Least Privilege Audit (AWS) ║
╠══════════════════════════════════════════════════╣
║ Users analyzed ✓ 24 ║
║ Roles analyzed ✓ 18 ║
║ Over-permissioned ✗ 7 ║
║ Stale access (90d) ✗ 5 ║
║ Missing MFA ✗ 3 ║
╚══════════════════════════════════════════════════╝
OVER-PERMISSIONED ROLES
┌──────────────────┬─────────────────┬──────────────────┐
│ Role/User │ Issue │ Last Used │
├──────────────────┼─────────────────┼──────────────────┤
│ DevOps-Role │ Admin policy │ 2 days ago │
│ DataScience-Role │ S3 Full Access │ 15 days ago │
│ CI-Pipeline │ IAM permissions │ 1 day ago │
└──────────────────┴─────────────────┴──────────────────┘
RECOMMENDATIONS
DevOps-Role:
Current: AdministratorAccess
Recommended: Custom policy with specific permissions
Unused services: RDS, Lambda, DynamoDB
Suggested Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:",
"s3:GetObject",
"s3:PutObject",
"cloudwatch:PutMetricData"
],
"Resource": ""
}
]
}
STALE ACCESS (>90 days)
• jenkins-user (145 days) - Consider deactivating
• legacy-integration (234 days) - Remove
• contractor-temp (98 days) - Review and remove
MISSING MFA
🔴 admin-user (console access)
🔴 ops-team-lead (console access)
⚠ backup-operator (API only)
ACTION PLAN
Immediate:
✗ Enable MFA for admin-user and ops-team-lead
✗ Deactivate access for legacy-integration
Short-term:
⚠ Replace AdministratorAccess with scoped policies
⚠ Implement 90-day access review process
⚠ Add MFA enforcement policy
undefined/iam-audit --provider aws
/iam-audit --check-mfa
/iam-audit --stale-days 90
/iam-audit --output csv
**AWS IAM审计示例:**
╔══════════════════════════════════════════════════╗
║ IAM最小权限审计(AWS) ║
╠══════════════════════════════════════════════════╣
║ 已分析用户 ✓ 24 ║
║ 已分析角色 ✓ 18 ║
║ 权限过度 ✗ 7 ║
║ 过期访问(90天) ✗ 5 ║
║ 缺失MFA ✗ 3 ║
╚══════════════════════════════════════════════════╝
权限过度的角色
┌──────────────────┬─────────────────┬──────────────────┐
│ 角色/用户 │ 问题 │ 最后使用时间 │
├──────────────────┼─────────────────┼──────────────────┤
│ DevOps-Role │ 管理员策略 │ 2天前 │
│ DataScience-Role │ S3完全访问权限 │ 15天前 │
│ CI-Pipeline │ IAM权限 │ 1天前 │
└──────────────────┴─────────────────┴──────────────────┘
建议
DevOps-Role:
当前权限: AdministratorAccess
建议: 具有特定权限的自定义策略
未使用服务: RDS、Lambda、DynamoDB
建议策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:",
"s3:GetObject",
"s3:PutObject",
"cloudwatch:PutMetricData"
],
"Resource": ""
}
]
}
过期访问(>90天)
• jenkins-user(145天)- 考虑停用
• legacy-integration(234天)- 删除
• contractor-temp(98天)- 审核后删除
缺失MFA
🔴 admin-user(控制台访问)
🔴 ops-team-lead(控制台访问)
⚠ backup-operator(仅API访问)
行动计划
立即:
✗ 为admin-user和ops-team-lead启用MFA
✗ 停用legacy-integration的访问权限
短期:
⚠ 用范围限定的策略替换AdministratorAccess
⚠ 实施90天访问审核流程
⚠ 添加MFA强制策略
undefined9. Security Incident Playbook
9. 安全事件响应手册
Generates security incident response playbook following NIST framework.
bash
/incident-playbook <incident_type>遵循NIST框架生成安全事件响应手册。
bash
/incident-playbook <incident_type>Options
选项
/incident-playbook data-breach
/incident-playbook ransomware
/incident-playbook ddos-attack
/incident-playbook --format pdf
**Example Playbook:**
╔══════════════════════════════════════════════════╗
║ Security Incident Playbook: Data Breach ║
╠══════════════════════════════════════════════════╣
║ Framework: NIST SP 800-61 ║
║ Phases: 5 ║
╚══════════════════════════════════════════════════╝
PHASE 1: DETECTION & TRIAGE (0-1 hour)
Immediate Actions:
☐ Confirm incident severity and scope
☐ Notify Security Team Lead
☐ Activate incident response team
☐ Begin incident log (time, actions, findings)
Detection Checklist:
☐ Review SIEM alerts and logs
☐ Check data exfiltration indicators
☐ Identify compromised systems/accounts
☐ Determine data types affected
Key Questions:
• What data was accessed/exfiltrated?
• How many records affected?
• When did the breach occur?
• Is the breach ongoing?
PHASE 2: CONTAINMENT (1-4 hours)
Short-term Containment:
☐ Isolate affected systems from network
☐ Disable compromised user accounts
☐ Block malicious IP addresses at firewall
☐ Reset credentials for affected systems
☐ Enable enhanced monitoring
Long-term Containment:
☐ Apply security patches
☐ Implement additional access controls
☐ Deploy IDS/IPS rules
☐ Segment network if not already done
Evidence Preservation:
☐ Take disk/memory snapshots
☐ Preserve logs (application, system, network)
☐ Document all containment actions
☐ Chain of custody for forensic evidence
PHASE 3: ERADICATION (4-24 hours)
☐ Remove malware/backdoors from affected systems
☐ Close vulnerability that enabled breach
☐ Verify no persistence mechanisms remain
☐ Conduct full system security scan
☐ Review and update security configurations
Root Cause Analysis:
• Entry point identification
• Attack vector analysis
• Timeline reconstruction
• Identify control failures
PHASE 4: RECOVERY (1-7 days)
☐ Restore systems from clean backups
☐ Verify system integrity before reconnection
☐ Gradually restore services (least critical first)
☐ Enhanced monitoring for 30 days
☐ User access verification
Validation:
☐ Penetration testing of restored systems
☐ Vulnerability scanning
☐ Security control verification
PHASE 5: POST-INCIDENT (7-30 days)
Lessons Learned Meeting (within 48 hours):
• What happened?
• What was done well?
• What could be improved?
• What will we do differently?
Deliverables:
☐ Incident report (technical)
☐ Executive summary
☐ Timeline of events
☐ Financial impact assessment
☐ Regulatory notification (if required)
Regulatory Obligations:
• GDPR: 72-hour notification to supervisory authority
• CCPA: Notification without unreasonable delay
• HIPAA: 60-day notification to affected individuals
• State breach notification laws (check jurisdictions)
Security Improvements:
☐ Update incident response plan
☐ Implement identified security controls
☐ Conduct security awareness training
☐ Schedule follow-up security assessment
CONTACTS
Security Team:
• Security Lead: ENV:SECURITY_LEAD_CONTACT
• On-Call SIEM: ENV:SIEM_ONCALL
• Forensics Team: ENV:FORENSICS_CONTACT
External:
• Legal Counsel: ENV:LEGAL_CONTACT
• PR/Communications: ENV:PR_CONTACT
• Cyber Insurance: ENV:INSURANCE_CONTACT
• Law Enforcement (FBI IC3): https://www.ic3.gov
Regulatory:
• GDPR DPA: ENV:DPA_CONTACT
• State Attorney General: ENV:STATE_AG_CONTACT
undefined/incident-playbook data-breach
/incident-playbook ransomware
/incident-playbook ddos-attack
/incident-playbook --format pdf
**示例手册:**
╔══════════════════════════════════════════════════╗
║ 安全事件响应手册:数据 breach ║
╠══════════════════════════════════════════════════╣
║ 框架: NIST SP 800-61 ║
║ 阶段: 5 ║
╚══════════════════════════════════════════════════╝
阶段1: 检测与分类(0-1小时)
立即行动:
☐ 确认事件严重程度和范围
☐ 通知安全团队负责人
☐ 激活事件响应团队
☐ 开始事件日志(时间、行动、发现)
检测检查表:
☐ 查看SIEM警报和日志
☐ 检查数据泄露指标
☐ 识别受影响的系统/账户
☐ 确定受影响的数据类型
关键问题:
• 哪些数据被访问/泄露?
• 受影响记录数量?
• 泄露发生时间?
• 泄露是否仍在持续?
阶段2: 遏制(1-4小时)
短期遏制:
☐ 将受影响系统从网络隔离
☐ 禁用受 compromise 的用户账户
☐ 在防火墙阻止恶意IP地址
☐ 重置受影响系统的凭证
☐ 启用增强监控
长期遏制:
☐ 应用安全补丁
☐ 实施额外访问控制
☐ 部署IDS/IPS规则
☐ 如未完成则进行网络分段
证据留存:
☐ 拍摄磁盘/内存快照
☐ 留存日志(应用、系统、网络)
☐ 记录所有遏制行动
☐ 法医证据的保管链
阶段3: 根除(4-24小时)
☐ 从受影响系统中移除恶意软件/后门
☐ 关闭导致泄露的漏洞
☐ 验证无持久化机制残留
☐ 进行全面系统安全扫描
☐ 审核并更新安全配置
根本原因分析:
• 识别入口点
• 攻击向量分析
• 时间线重建
• 识别控制失效点
阶段4: 恢复(1-7天)
☐ 从干净备份恢复系统
☐ 重新连接前验证系统完整性
☐ 逐步恢复服务(从最不重要的开始)
☐ 增强监控30天
☐ 用户访问验证
验证:
☐ 对恢复系统进行渗透测试
☐ 漏洞扫描
☐ 安全控制验证
阶段5: 事后处理(7-30天)
经验总结会议(48小时内):
• 发生了什么?
• 哪些做得好?
• 哪些可以改进?
• 我们将做出哪些改变?
交付物:
☐ 事件报告(技术版)
☐ 执行摘要
☐ 事件时间线
☐ 财务影响评估
☐ 监管通知(如需要)
监管义务:
• GDPR: 72小时内通知监管机构
• CCPA: 无不合理延迟地通知
• HIPAA: 60天内通知受影响个人
• 州级泄露通知法律(检查司法管辖区)
安全改进:
☐ 更新事件响应计划
☐ 实施已识别的安全控制
☐ 开展安全意识培训
☐ 安排后续安全评估
联系方式
安全团队:
• 安全负责人: ENV:SECURITY_LEAD_CONTACT
• 值班SIEM: ENV:SIEM_ONCALL
• 法医团队: ENV:FORENSICS_CONTACT
外部:
• 法律顾问: ENV:LEGAL_CONTACT
• PR/沟通: ENV:PR_CONTACT
• 网络保险: ENV:INSURANCE_CONTACT
• 执法部门(FBI IC3): https://www.ic3.gov
监管:
• GDPR DPA: ENV:DPA_CONTACT
• 州总检察长: ENV:STATE_AG_CONTACT
undefined10. Privacy Policy Generator
10. 隐私政策生成器
Generates GDPR/CCPA-compliant privacy policy from data inventory.
bash
/privacy-policy <data_inventory_file>根据数据清单生成符合GDPR/CCPA的隐私政策。
bash
/privacy-policy <data_inventory_file>Options
选项
/privacy-policy inventory.json --jurisdiction eu,us,uk
/privacy-policy . --auto-discover
/privacy-policy data-map.yaml --format html
**Example Data Inventory:**
```json
{
"personal_data": [
{
"type": "contact",
"fields": ["email", "name", "phone"],
"purpose": "user_account",
"retention": "account_lifetime",
"third_parties": []
},
{
"type": "analytics",
"fields": ["ip_address", "user_agent", "session_id"],
"purpose": "service_improvement",
"retention": "90_days",
"third_parties": ["Google Analytics"]
}
]
}Generated Policy Excerpt:
markdown
undefined/privacy-policy inventory.json --jurisdiction eu,us,uk
/privacy-policy . --auto-discover
/privacy-policy data-map.yaml --format html
**示例数据清单:**
```json
{
"personal_data": [
{
"type": "contact",
"fields": ["email", "name", "phone"],
"purpose": "user_account",
"retention": "account_lifetime",
"third_parties": []
},
{
"type": "analytics",
"fields": ["ip_address", "user_agent", "session_id"],
"purpose": "service_improvement",
"retention": "90_days",
"third_parties": ["Google Analytics"]
}
]
}生成的政策节选:
markdown
undefinedPrivacy Policy
隐私政策
Last Updated: 2024-01-15
最后更新: 2024-01-15
1. Information We Collect
1. 我们收集的信息
Contact Information
联系信息
We collect your email address, name, and phone number when you:
- Create an account
- Contact customer support
- Subscribe to our newsletter
Legal Basis (GDPR): Contract performance, legitimate interest
Retention: Duration of account plus 30 days
当您进行以下操作时,我们会收集您的邮箱地址、姓名和电话号码:
- 创建账户
- 联系客户支持
- 订阅我们的通讯
法律依据(GDPR): 合同履行、合法利益
保留期限: 账户存续期加30天
Analytics Data
分析数据
We automatically collect:
- IP address
- Browser type and version
- Device information
- Pages visited and time spent
Legal Basis (GDPR): Legitimate interest (service improvement)
Retention: 90 days
我们自动收集:
- IP地址
- 浏览器类型和版本
- 设备信息
- 访问页面和停留时间
法律依据(GDPR): 合法利益(服务改进)
保留期限: 90天
2. How We Use Your Information
2. 我们如何使用您的信息
We use your information to:
- Provide and maintain our services
- Send account-related notifications
- Improve our products and services
- Comply with legal obligations
我们使用您的信息来:
- 提供和维护我们的服务
- 发送账户相关通知
- 改进我们的产品和服务
- 遵守法律义务
3. Third-Party Service Providers
3. 第三方服务提供商
We share your information with:
Google Analytics
- Purpose: Website analytics and usage patterns
- Data shared: IP address, user agent, page views
- Location: United States
- Privacy Policy: https://policies.google.com/privacy
- Data Processing Agreement: In place
我们与以下方共享您的信息:
Google Analytics
- 用途: 网站分析和使用模式
- 共享数据: IP地址、用户代理、页面浏览量
- 地点: 美国
- 隐私政策: https://policies.google.com/privacy
- 数据处理协议: 已签署
4. Your Rights (GDPR)
4. 您的权利(GDPR)
You have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Restriction: Limit processing of your data
- Portability: Receive your data in machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Where processing is based on consent
To exercise these rights, contact: ENV:PRIVACY_CONTACT_EMAIL
您有权:
- 访问: 请求获取您的个人数据副本
- 更正: 纠正不准确的数据
- 删除: 请求删除您的数据
- 限制: 限制对您数据的处理
- 可携带性: 以机器可读格式接收您的数据
- 反对: 反对基于合法利益的处理
- 撤回同意: 当处理基于同意时
行使这些权利,请联系: ENV:PRIVACY_CONTACT_EMAIL
5. Your Rights (CCPA)
5. 您的权利(CCPA)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of personal information
- Equal service and price, even if you exercise your privacy rights
加利福尼亚居民有权:
- 了解收集了哪些个人信息
- 了解个人信息是否被出售或披露
- 拒绝出售个人信息
- 访问您的个人信息
- 请求删除个人信息
- 即使您行使隐私权利,仍享受平等服务和价格
6. Data Security
6. 数据安全
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Employee security training
我们实施适当的技术和组织措施:
- 传输中加密(TLS 1.3)
- 静态数据加密(AES-256)
- 访问控制和认证
- 定期安全评估
- 员工安全培训
7. International Data Transfers
7. 国际数据传输
Your data may be transferred to and processed in:
- United States (Standard Contractual Clauses)
- European Union (GDPR compliant)
We ensure appropriate safeguards are in place for all transfers.
您的数据可能被传输到以下地区处理:
- 美国(标准合同条款)
- 欧盟(符合GDPR)
我们确保所有传输都有适当的保障措施。
8. Children's Privacy
8. 儿童隐私
Our services are not directed to individuals under 16. We do not
knowingly collect personal information from children.
我们的服务不面向16岁以下人群。我们不会故意收集儿童的个人信息。
9. Contact Information
9. 联系方式
Data Controller: [Company Name]
Email: ENV:PRIVACY_CONTACT_EMAIL
Address: [Company Address]
EU Representative: ENV:EU_REP_CONTACT
UK Representative: ENV:UK_REP_CONTACT
Supervisory Authority: [Relevant DPA]
undefined数据控制者: [公司名称]
邮箱: ENV:PRIVACY_CONTACT_EMAIL
地址: [公司地址]
欧盟代表: ENV:EU_REP_CONTACT
英国代表: ENV:UK_REP_CONTACT
监管机构: [相关DPA]
undefinedMulti-Step Workflows
多步骤工作流
Workflow 1: Secure SDLC (Shift-Left Security)
工作流1: 安全SDLC(左移安全)
End-to-end secure development lifecycle implementation.
bash
/workflow:secure-sdlc <project_path>端到端安全开发生命周期实施。
bash
/workflow:secure-sdlc <project_path>Options
选项
/workflow:secure-sdlc . --phase all
/workflow:secure-sdlc src/ --skip-dast
**Workflow Steps:**
╔══════════════════════════════════════════════════╗
║ Secure SDLC Workflow ║
╠══════════════════════════════════════════════════╣
║ 1. Threat Model ⟳ In Progress ║
║ 2. SAST Scan ░ Pending ║
║ 3. Dependency Check ░ Pending ║
║ 4. DAST Scan ░ Pending ║
║ 5. Penetration Test ░ Pending ║
║ 6. Security Sign-off ░ Pending ║
╚══════════════════════════════════════════════════╝
PHASE 1: THREAT MODELING
Running: /threat-model architecture.md
[Output from threat model command...]
PHASE 2: STATIC ANALYSIS
Running: /owasp-scan src/
[Output from OWASP scan...]
PHASE 3: DEPENDENCY CHECK
Running: /dep-cve --scope full
[Output from CVE scan...]
PHASE 4: DYNAMIC TESTING
Running DAST against staging environment...
[DAST results...]
PHASE 5: PENETRATION TEST
Generating penetration test checklist...
[Pentest scope and requirements...]
PHASE 6: SECURITY SIGN-OFF
Generating security release checklist...
RELEASE CRITERIA
☐ All critical vulnerabilities resolved
/workflow:secure-sdlc . --phase all
/workflow:secure-sdlc src/ --skip-dast
**工作流步骤:**
╔══════════════════════════════════════════════════╗
║ 安全SDLC工作流 ║
╠══════════════════════════════════════════════════╣
║ 1. 威胁建模 ⟳ 进行中 ║
║ 2. SAST扫描 ░ 待处理 ║
║ 3. 依赖项检查 ░ 待处理 ║
║ 4. DAST扫描 ░ 待处理 ║
║ 5. 渗透测试 ░ 待处理 ║
║ 6. 安全签字确认 ░ 待处理 ║
╚══════════════════════════════════════════════════╝
阶段1: 威胁建模
运行中: /threat-model architecture.md
[威胁建模命令输出...]
阶段2: 静态分析
运行中: /owasp-scan src/
[OWASP扫描输出...]
阶段3: 依赖项检查
运行中: /dep-cve --scope full
[CVE扫描输出...]
阶段4: 动态测试
针对预发布环境运行DAST...
[DAST结果...]
阶段5: 渗透测试
生成渗透测试检查表...
[渗透测试范围和要求...]
阶段6: 安全签字确认
生成安全发布检查表...
发布标准
☐ 所有严重漏洞已修复