Back to Details

security-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Auditor

安全审计工具

Comprehensive security scanning for codebases. Identifies vulnerabilities before they become incidents. Focuses on actionable findings with remediation guidance.
针对代码库的全面安全扫描工具,在漏洞引发安全事件前识别风险,聚焦可落地的检测结果并提供修复指导。

When to Use

适用场景

Use for:
  • Pre-deployment security audits
  • Dependency vulnerability scanning
  • Secret/credential leak detection
  • Code-level SAST (Static Application Security Testing)
  • Security posture reports for stakeholders
  • OWASP Top 10 compliance checking
  • Pre-PR security reviews
Do NOT use for:
  • Runtime security (WAF, rate limiting) - use infrastructure tools
  • Network security/firewall rules - use cloud/DevOps skills
  • SOC2/HIPAA/PCI compliance - requires legal/organizational process
  • Penetration testing execution - this is detection, not exploitation
适用场景:
  • 部署前安全审计
  • 依赖项漏洞扫描
  • 密钥/凭证泄露检测
  • 代码级SAST(静态应用安全测试)
  • 面向利益相关者的安全态势报告
  • OWASP Top 10合规检查
  • 合并请求(PR)前的安全评审
不适用场景:
  • 运行时安全(WAF、速率限制)- 请使用基础设施工具
  • 网络安全/防火墙规则 - 请使用云/DevOps工具
  • SOC2/HIPAA/PCI合规 - 需遵循法律/组织流程
  • 渗透测试执行 - 本工具仅负责检测,不涉及漏洞利用

Quick Start

快速开始

Full Security Audit

完整安全审计

bash
undefined
bash
undefined

Run comprehensive scan

运行全面扫描

./scripts/full-audit.sh /path/to/project
./scripts/full-audit.sh /path/to/project

Output: security-report.json + summary

输出:security-report.json + 摘要

undefined
undefined

Quick Checks

快速检查

bash
undefined
bash
undefined

Dependency vulnerabilities only

仅扫描依赖项漏洞

npm audit --json > deps-audit.json
npm audit --json > deps-audit.json

Secret detection only

仅检测密钥

./scripts/detect-secrets.sh /path/to/project
./scripts/detect-secrets.sh /path/to/project

OWASP check specific file

针对特定文件的OWASP检查

./scripts/owasp-check.py /path/to/file.js
undefined
./scripts/owasp-check.py /path/to/file.js
undefined

Core Scanning Capabilities

核心扫描能力

1. Dependency Scanning

1. 依赖项扫描

Package ManagerCommandSeverity Levels
npm
npm audit --json
critical, high, moderate, low
yarn
yarn audit --json
same as npm
pip
pip-audit --format json
critical, high, medium, low
cargo
cargo audit --json
same
Decision Tree:
Critical severity found?
├── YES → Block deployment, immediate fix required
│   └── Check if patch available → npm audit fix --force
├── NO → High severity?
    ├── YES → Fix within sprint, document if deferred
    └── NO → Low/Moderate → Track, fix during maintenance
包管理器命令严重级别
npm
npm audit --json
critical, high, moderate, low
yarn
yarn audit --json
与npm一致
pip
pip-audit --format json
critical, high, medium, low
cargo
cargo audit --json
与pip一致
决策流程:
发现严重级别为Critical的漏洞?
├── 是 → 阻止部署,需立即修复
│   └── 检查是否有可用补丁 → npm audit fix --force
├── 否 → 存在High级别漏洞?
    ├── 是 → 在当前迭代内修复,若延迟需记录原因
    └── 否 → Low/Moderate级别 → 跟踪记录,在维护阶段修复

2. Secret Detection

2. 密钥检测

High-Risk Patterns:
  • API keys: 
    /[A-Za-z0-9_]{20,}/
    near "key", "api", "secret"
  • AWS credentials: 
    AKIA[0-9A-Z]{16}
  • Private keys: 
    -----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----
  • JWT tokens: 
    eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
  • Connection strings: 
    ://[^:]+:[^@]+@
Entropy Analysis:
  • Shannon entropy > 4.5 on strings > 20 chars = suspicious
  • Base64-encoded blobs in source = investigate
False Positive Handling:
Secret-like pattern found?
├── In test file? → Lower severity, document
├── In example/docs? → Check if placeholder
├── High entropy + near "password"/"secret" → High confidence
└── In .env.example? → Acceptable if placeholder values
高风险模式:
  • API密钥:在"key"、"api"、"secret"附近匹配
    /[A-Za-z0-9_]{20,}/
  • AWS凭证:
    AKIA[0-9A-Z]{16}
  • 私钥:
    -----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----
  • JWT令牌:
    eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
  • 连接字符串:
    ://[^:]+:[^@]+@
熵值分析:
  • 长度超过20字符且香农熵>4.5的字符串 → 可疑
  • 源码中的Base64编码内容 → 需调查
误报处理流程:
发现类密钥模式?
├── 位于测试文件中? → 降低严重级别并记录
├── 位于示例/文档中? → 检查是否为占位符
├── 高熵值且靠近"password"/"secret" → 高可信度
└── 位于.env.example中? → 若为占位符则可接受

3. OWASP Top 10 Static Analysis

3. OWASP Top 10静态分析

#VulnerabilityDetection Pattern
A01Broken Access ControlMissing auth checks on routes
A02Cryptographic FailuresWeak algorithms (MD5, SHA1 for passwords)
A03InjectionUnparameterized queries, eval(), innerHTML
A04Insecure DesignHardcoded credentials, missing rate limits
A05Security MisconfigurationDebug mode in prod, default credentials
A06Vulnerable ComponentsKnown CVEs in dependencies
A07Auth FailuresWeak password policies, session issues
A08Integrity FailuresUnsigned updates, untrusted deserialization
A09Logging FailuresSensitive data in logs, missing audit trails
A10SSRFUnvalidated URL inputs to fetch/request
编号漏洞类型检测模式
A01访问控制失效路由缺失权限校验
A02加密机制失败弱算法(如密码使用MD5、SHA1)
A03注入攻击未参数化查询、eval()、innerHTML
A04不安全设计硬编码凭证、缺失速率限制
A05安全配置错误生产环境开启调试模式、默认凭证
A06易受攻击的组件依赖项中存在已知CVE
A07身份认证失败弱密码策略、会话管理问题
A08完整性失效未签名的更新、不可信反序列化
A09日志记录失效日志中包含敏感数据、缺失审计轨迹
A10SSRF(服务器端请求伪造)对fetch/request的URL输入未做校验

4. Language-Specific Checks

4. 语言专属检查

JavaScript/TypeScript:
  • eval()
    , 
    new Function()
    - code injection
  • innerHTML
    , 
    outerHTML
    - XSS vectors
  • document.write()
    - DOM-based XSS
  • child_process.exec()
    with user input - command injection
  • Regex without timeout - ReDoS vulnerability
Python:
  • pickle.loads()
    with untrusted data - arbitrary code execution
  • yaml.load()
    without 
    Loader=SafeLoader
    - code injection
  • subprocess.shell=True
    - command injection
  • eval()
    , 
    exec()
    - code injection
  • SQL string concatenation - SQL injection
SQL:
  • String concatenation in queries - SQL injection
  • LIKE '%' + input + '%'
    - injection via wildcards
  • Missing parameterization - critical vulnerability
JavaScript/TypeScript:
  • eval()
    new Function()
    - 代码注入风险
  • innerHTML
    outerHTML
    - XSS攻击向量
  • document.write()
    - 基于DOM的XSS
  • child_process.exec()
    结合用户输入 - 命令注入
  • 未设置超时的正则表达式 - ReDoS漏洞
Python:
  • pickle.loads()
    处理不可信数据 - 任意代码执行
  • yaml.load()
    未指定
    Loader=SafeLoader
    - 代码注入
  • subprocess.shell=True
    - 命令注入
  • eval()
    exec()
    - 代码注入
  • SQL字符串拼接 - SQL注入
SQL:
  • 查询中使用字符串拼接 - SQL注入
  • LIKE '%' + input + '%'
    - 通过通配符注入
  • 未使用参数化查询 - 严重漏洞

Anti-Patterns

反模式

Anti-Pattern: Security by Obscurity

反模式:通过模糊实现安全

What it looks like: "Nobody will find this hardcoded password" Why wrong: Secrets in source always leak eventually Instead: Environment variables, secret managers, zero hardcoded secrets
表现:“没人会发现这个硬编码的密码” 问题:源码中的密钥最终总会泄露 正确做法:使用环境变量、密钥管理器,禁止硬编码任何密钥

Anti-Pattern: Audit Fatigue

反模式:审计疲劳

What it looks like: 500 findings, all "medium", team ignores Why wrong: Critical issues buried in noise Instead: Prioritize by exploitability, start with critical/high only
表现:500条检测结果均为“中等”,团队直接忽略 问题:严重问题被淹没在大量告警中 正确做法:按可利用性优先级处理,先解决Critical/High级别问题

Anti-Pattern: Fix Without Understanding

反模式:盲目修复

What it looks like: 
npm audit fix --force
without review Why wrong: May introduce breaking changes, doesn't address root cause Instead: Review each fix, understand the vulnerability, test after
表现:未做评审直接执行
npm audit fix --force
问题:可能引入破坏性变更,未解决漏洞根源 正确做法:逐一评审修复方案,理解漏洞原理,修复后进行测试

Anti-Pattern: One-Time Audit

反模式:一次性审计

What it looks like: "We did a security audit last year" Why wrong: New CVEs daily, code changes constantly Instead: CI/CD integration, weekly automated scans minimum
表现:“我们去年做过安全审计了” 问题:每天都有新的CVE披露,代码也在持续变更 正确做法:集成到CI/CD流程中,每周至少执行一次自动化扫描

Security Report Format

安全报告格式

json
{
  "summary": {
    "critical": 0,
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "findings": [
    {
      "id": "SEC-001",
      "severity": "high",
      "category": "A03:Injection",
      "title": "SQL Injection in user search",
      "location": "src/api/users.js:45",
      "description": "User input concatenated directly into SQL query",
      "evidence": "const query = `SELECT * FROM users WHERE name = '${input}'`",
      "remediation": "Use parameterized queries: db.query('SELECT * FROM users WHERE name = $1', [input])",
      "references": ["https://owasp.org/www-community/attacks/SQL_Injection"]
    }
  ],
  "recommendations": [
    "Implement parameterized queries across all database access",
    "Add input validation layer",
    "Enable SQL query logging for monitoring"
  ]
}
json
{
  "summary": {
    "critical": 0,
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "findings": [
    {
      "id": "SEC-001",
      "severity": "high",
      "category": "A03:Injection",
      "title": "SQL Injection in user search",
      "location": "src/api/users.js:45",
      "description": "User input concatenated directly into SQL query",
      "evidence": "const query = `SELECT * FROM users WHERE name = '${input}'`",
      "remediation": "Use parameterized queries: db.query('SELECT * FROM users WHERE name = $1', [input])",
      "references": ["https://owasp.org/www-community/attacks/SQL_Injection"]
    }
  ],
  "recommendations": [
    "Implement parameterized queries across all database access",
    "Add input validation layer",
    "Enable SQL query logging for monitoring"
  ]
}

CI/CD Integration

CI/CD集成

GitHub Actions Example

GitHub Actions示例

yaml
security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - name: Run security audit
      run: |
        npm audit --json > audit.json
        ./scripts/detect-secrets.sh . > secrets.json
        ./scripts/generate-report.py
    - name: Fail on critical
      run: |
        if jq '.summary.critical > 0' report.json; then
          echo "Critical vulnerabilities found!"
          exit 1
        fi
yaml
security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - name: Run security audit
      run: |
        npm audit --json > audit.json
        ./scripts/detect-secrets.sh . > secrets.json
        ./scripts/generate-report.py
    - name: Fail on critical
      run: |
        if jq '.summary.critical > 0' report.json; then
          echo "Critical vulnerabilities found!"
          exit 1
        fi

Scripts (in 
scripts/
folder)

脚本(位于
scripts/
目录)

ScriptPurpose
full-audit.sh
Comprehensive security scan
detect-secrets.sh
High-entropy string and pattern detection
owasp-check.py
OWASP Top 10 static analysis
generate-report.py
Combine findings into unified report
脚本用途
full-audit.sh
全面安全扫描
detect-secrets.sh
高熵字符串与模式检测
owasp-check.py
OWASP Top 10静态分析
generate-report.py
整合检测结果生成统一报告

Expert vs Novice Approach

新手vs专家实践

NoviceExpert
Runs audit once before releaseCI/CD integration, every commit
Focuses on tool output onlyUnderstands vulnerability context
Fixes everything or nothingTriages by exploitability
Uses one scannerLayers multiple tools
Ignores false positivesTunes detection rules
新手做法专家做法
发布前仅运行一次审计集成到CI/CD流程,每次提交都执行扫描
仅关注工具输出理解漏洞的业务上下文
要么全修复要么全忽略按可利用性分级处理
仅使用单一扫描工具组合使用多种工具分层检测
忽略误报调优检测规则降低误报率

Success Metrics

成功指标

MetricTarget
Critical/High pre-production0
Mean time to remediate critical< 24 hours
False positive rate< 10%
Scan coverage100% of deployable code
指标目标值
预生产环境Critical/High级别漏洞0
Critical级别漏洞平均修复时间< 24小时
误报率< 10%
扫描覆盖率可部署代码的100%

Reference Files

参考文件

  • references/owasp-top-10-2024.md
    - Detailed OWASP guidance
  • references/secret-patterns.md
    - Comprehensive regex patterns
  • references/remediation-playbook.md
    - Fix guidance by vulnerability type
  • references/ci-cd-templates.md
    - Integration examples
  • scripts/
    - Working security scanning scripts
Detects: Dependency CVEs | Secret leaks | Injection vulnerabilities | OWASP violations | Security misconfigurations
Use with: site-reliability-engineer (deployment gates) | code-review (PR security checks)
  • references/owasp-top-10-2024.md
    - 详细OWASP指南
  • references/secret-patterns.md
    - 完整正则模式库
  • references/remediation-playbook.md
    - 按漏洞类型分类的修复指南
  • references/ci-cd-templates.md
    - 集成示例
  • scripts/
    - 可用的安全扫描脚本
检测范围:依赖项CVE | 密钥泄露 | 注入漏洞 | OWASP违规 | 安全配置错误
协同角色:站点可靠性工程师(部署门禁) | 代码评审(PR安全检查)