Back to Details

security-suite

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Suite

安全套件

Purpose: Provide composable, repeatable security/internal-testing primitives for authorized binaries.
This skill separates concerns into primitives so security workflows stay testable and reusable.
用途:为经授权的二进制文件提供可组合、可重复的安全/内部测试原语。
该技能将关注点拆分为多个原语,确保安全工作流可测试、可复用。

Guardrails

约束规则

  • Use only on binaries you own or are explicitly authorized to assess.
  • Do not use this workflow to bypass legal restrictions or extract third-party proprietary content without authorization.
  • Prefer behavioral assurance and policy gating over ad-hoc one-off reverse-engineering.
  • 仅可用于您拥有或被明确授权评估的二进制文件。
  • 不得使用此工作流规避法律限制,或在未获授权的情况下提取第三方专有内容。
  • 优先选择行为验证和策略管控,而非临时的一次性逆向工程。

Primitive Model

原语模型

  1. collect-static
    — file metadata, runtime heuristics, linked libraries, embedded archive signatures.
  2. collect-dynamic
    — sandboxed execution trace (processes, file changes, network endpoints).
  3. collect-contract
    — machine-readable behavior contract from help-surface probing.
  4. compare-baseline
    — current vs baseline contract drift (added/removed commands, runtime change).
  5. enforce-policy
    — allowlist/denylist gates and severity-based verdict.
  6. run
    — thin orchestrator that composes primitives and writes suite summary.
  1. collect-static
    —— 文件元数据、运行时启发式分析、链接库、嵌入式归档签名。
  2. collect-dynamic
    —— 沙箱化执行追踪(进程、文件变更、网络端点)。
  3. collect-contract
    —— 通过帮助界面探测生成的机器可读行为契约。
  4. compare-baseline
    —— 当前版本与基线版本的契约漂移对比(新增/移除的命令、运行时变更)。
  5. enforce-policy
    —— 基于白名单/黑名单的管控,以及按严重程度生成判定结果。
  6. run
    —— 轻量编排器,用于组合各原语并生成套件摘要。

Quick Start

快速开始

Single run (default dynamic command is 
--help
):
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current
Baseline regression gate:
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current \
  --baseline-dir .agents/security-suite/ao-baseline \
  --fail-on-removed
Policy gate:
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current \
  --policy-file skills/security-suite/references/policy-example.json \
  --fail-on-policy-fail
单次运行(默认动态命令为
--help
):
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current
基线回归管控:
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current \
  --baseline-dir .agents/security-suite/ao-baseline \
  --fail-on-removed
策略管控:
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .agents/security-suite/ao-current \
  --policy-file skills/security-suite/references/policy-example.json \
  --fail-on-policy-fail

Recommended Workflow

推荐工作流

  1. Capture baseline on known-good release.
  2. Run suite on candidate binary in CI.
  3. Compare against baseline and enforce policy.
  4. Block promotion on failing verdict.
  1. 在已知可信的版本上捕获基线。
  2. 在CI环境中对候选二进制文件运行该套件。
  3. 与基线对比并执行策略管控。
  4. 若判定失败,阻止版本上线。

Output Contract

输出契约

All outputs are written under 
--out-dir
:
  • static/static-analysis.json
  • dynamic/dynamic-analysis.json
  • contract/contract.json
  • compare/baseline-diff.json
    (when baseline supplied)
  • policy/policy-verdict.json
    (when policy supplied)
  • suite-summary.json
This output structure is intentionally machine-consumable for CI gates.
所有输出均写入
--out-dir
指定目录:
  • static/static-analysis.json
  • dynamic/dynamic-analysis.json
  • contract/contract.json
  • compare/baseline-diff.json
    (当提供基线目录时生成)
  • policy/policy-verdict.json
    (当提供策略文件时生成)
  • suite-summary.json
此输出结构专为CI管控设计,便于机器读取。

Policy Model

策略模型

Use 
skills/security-suite/references/policy-example.json
as a starting point.
Supported checks:
  • required_top_level_commands
  • deny_command_patterns
  • max_created_files
  • forbid_file_path_patterns
  • allow_network_endpoint_patterns
  • deny_network_endpoint_patterns
  • block_if_removed_commands
  • min_command_count
skills/security-suite/references/policy-example.json
为起点进行配置。
支持的检查项:
  • required_top_level_commands
  • deny_command_patterns
  • max_created_files
  • forbid_file_path_patterns
  • allow_network_endpoint_patterns
  • deny_network_endpoint_patterns
  • block_if_removed_commands
  • min_command_count

Technique Coverage

技术覆盖范围

This suite is designed for broad binary classes, not just CLI metadata:
  • static runtime/library fingerprinting
  • sandboxed behavior observation
  • command/contract capture
  • drift classification
  • policy enforcement and CI verdicting
It is intentionally modular so you can add deeper primitives later (syscall tracing, SBOM attestation verification, fuzz harnesses) without rewriting the workflow.
该套件适用于各类二进制文件,而非仅CLI元数据:
  • 静态运行时/库指纹识别
  • 沙箱化行为观测
  • 命令/契约捕获
  • 漂移分类
  • 策略执行与CI结果判定
套件采用模块化设计,后续无需重写工作流即可添加更深入的原语(如系统调用追踪、SBOM验证、模糊测试harness)。

Validation

验证

Run:
bash
bash skills/security-suite/scripts/validate.sh
Smoke test (recommended):
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .tmp/security-suite-smoke \
  --policy-file skills/security-suite/references/policy-example.json
运行以下命令:
bash
bash skills/security-suite/scripts/validate.sh
冒烟测试(推荐):
bash
python3 skills/security-suite/scripts/security_suite.py run \
  --binary "$(command -v ao)" \
  --out-dir .tmp/security-suite-smoke \
  --policy-file skills/security-suite/references/policy-example.json