app-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseApp Audit
应用程序审计
Audit applications and their infrastructure configurations against the standards defined in your .
Platform-Engineering-Constitution.md根据您的中定义的标准,审计应用程序及其基础设施配置。
Platform-Engineering-Constitution.mdWorkflow
工作流程
- Read the platform constitution. Load and extract all auditable standards (providers, regions, naming, tags, container standards, IaC conventions, network policies, secret management).
Platform-Engineering-Constitution.md - Discover application artifacts. Scan the repository for IaC files (,
.bicep,.tf), Dockerfiles, Kubernetes manifests, CI/CD configs, and application code.*.yaml - Run audit checks against each category below.
- Generate an audit report with findings, severity levels, and remediation recommendations.
- Present the report to the user and offer to fix any issues found.
- 读取平台章程。加载并提取所有可审计标准(供应商、区域、命名、标签、容器标准、IaC约定、网络策略、密钥管理)。
Platform-Engineering-Constitution.md - 发现应用程序工件。扫描仓库中的IaC文件(、
.bicep、.tf)、Dockerfile、Kubernetes清单、CI/CD配置和应用程序代码。*.yaml - 运行审计检查,针对以下每个类别。
- 生成审计报告,包含检查结果、严重级别和修复建议。
- 向用户展示报告,并提供修复发现问题的服务。
Audit Categories
审计类别
1. Cloud Provider & Region Compliance
1. 云供应商与区域合规性
Check that all infrastructure targets only approved providers and regions.
| Check | What to look for | Severity |
|---|---|---|
| Approved providers only | Provider blocks in Terraform, resource types in Bicep | 🔴 Critical |
| Approved regions only | | 🔴 Critical |
| No hardcoded cloud-specific resources in app.bicep | Should use portable Radius types | 🟡 Warning |
检查所有基础设施是否仅针对已批准的供应商和区域。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 仅使用已批准的供应商 | Terraform中的供应商块、Bicep中的资源类型 | 🔴 严重 |
| 仅使用已批准的区域 | IaC中的 | 🔴 严重 |
| app.bicep中无硬编码的云特定资源 | 应使用可移植的Radius类型 | 🟡 警告 |
2. Container Standards
2. 容器标准
Verify Dockerfiles and container configurations meet standards.
| Check | What to look for | Severity |
|---|---|---|
| Non-root user | | 🔴 Critical |
| Health endpoints | | 🟡 Warning |
| Multi-stage build | Multiple | 🟡 Warning |
| Image registry | Images reference approved registries (ACR, ECR) | 🟡 Warning |
No | Image tags should be pinned | 🟡 Warning |
验证Dockerfile和容器配置是否符合标准。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 非root用户 | Dockerfile中的 | 🔴 严重 |
| 健康检查端点 | 应用程序代码中的 | 🟡 警告 |
| 多阶段构建 | Dockerfile中的多个 | 🟡 警告 |
| 镜像仓库 | 镜像引用已批准的仓库(ACR、ECR) | 🟡 警告 |
生产环境不使用 | 镜像标签应固定 | 🟡 警告 |
3. IaC Standards
3. IaC标准
Validate Terraform/Bicep follows constitution conventions.
| Check | What to look for | Severity |
|---|---|---|
| Approved IaC tooling | Only uses tooling listed in constitution | 🔴 Critical |
| Module versions pinned | | 🟡 Warning |
| Remote state backend | | 🟡 Warning |
| Variables have descriptions | All | 🟢 Info |
| Variables have type constraints | All | 🟢 Info |
| Code passes | 🟢 Info |
验证Terraform/Bicep是否遵循章程约定。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 使用已批准的IaC工具 | 仅使用章程中列出的工具 | 🔴 严重 |
| 模块版本固定 | 模块块中的 | 🟡 警告 |
| 远程状态后端 | Terraform中配置了 | 🟡 警告 |
| 变量包含描述 | 所有 | 🟢 信息 |
| 变量有类型约束 | 所有 | 🟢 信息 |
通过 | 代码通过 | 🟢 信息 |
4. Naming Conventions
4. 命名约定
Verify resource names follow the constitution's pattern.
| Check | What to look for | Severity |
|---|---|---|
| Resource names match pattern | Names follow | 🟡 Warning |
| Consistent casing | All lowercase, hyphens as separators | 🟢 Info |
验证资源名称是否符合章程中的模式。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 资源名称匹配模式 | 名称遵循 | 🟡 警告 |
| 大小写一致 | 全部小写,使用连字符分隔 | 🟢 信息 |
5. Tagging / Labeling
5. 标签/标记
Ensure all required tags are present.
| Check | What to look for | Severity |
|---|---|---|
| Required tags present | All tags from constitution ( | 🟡 Warning |
| No missing tags on resources | Every resource has all required tags | 🟡 Warning |
确保所有必填标签都存在。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 存在必填标签 | 章程中的所有标签( | 🟡 警告 |
| 资源无缺失标签 | 每个资源都包含所有必填标签 | 🟡 警告 |
6. Network & Security
6. 网络与安全
Validate network and security configurations.
| Check | What to look for | Severity |
|---|---|---|
| NetworkPolicies defined | Kubernetes NetworkPolicy manifests exist | 🟡 Warning |
| No secrets in source code | Grep for API keys, passwords, tokens | 🔴 Critical |
| Secret management aligned | Uses approved secret management (K8s Secrets, Key Vault, Secrets Manager) | 🟡 Warning |
| RBAC enabled | Cluster configs enable RBAC | 🟡 Warning |
验证网络和安全配置。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
| 定义了NetworkPolicies | 存在Kubernetes NetworkPolicy清单 | 🟡 警告 |
| 源代码中无密钥 | 搜索API密钥、密码、令牌 | 🔴 严重 |
| 密钥管理符合规范 | 使用已批准的密钥管理方式(K8s Secrets、Key Vault、Secrets Manager) | 🟡 警告 |
| 启用RBAC | 集群配置启用RBAC | 🟡 警告 |
7. Radius-Specific Checks
7. Radius特定检查
If the app uses Radius, validate Radius configuration.
| Check | What to look for | Severity |
|---|---|---|
| Required for Radius Bicep extensions | 🔴 Critical |
| Portable resource types used | | 🟡 Warning |
| All Radius resources include | 🔴 Critical |
| Recipe properties set | Properties expected by recipes are declared (e.g., | 🟡 Warning |
| Connection env var handling | App code handles both | 🟡 Warning |
| Health probes configured | Container resources include readiness/liveness probes | 🟡 Warning |
| No local file paths in recipes | Recipe template paths use OCI registry URLs | 🔴 Critical |
No | Should use | 🟡 Warning |
Treat as a valid custom pattern when the repo or environment explicitly includes that resource type, even though it is not part of the current checked-in inventory of .
Radius.Data/redisCachesradius-resource-types如果应用程序使用Radius,验证Radius配置。
| 检查项 | 检查内容 | 严重级别 |
|---|---|---|
存在 | Radius Bicep扩展所需 | 🔴 严重 |
| 使用可移植资源类型 | 使用 | 🟡 警告 |
存在 | 所有Radius资源都包含 | 🔴 严重 |
| 设置了Recipe属性 | 声明了Recipe所需的属性(例如 | 🟡 警告 |
| 连接环境变量处理 | 应用程序代码同时处理 | 🟡 警告 |
| 配置了健康探针 | 容器资源包含就绪/存活探针 | 🟡 警告 |
| Recipe中无本地文件路径 | Recipe模板路径使用OCI仓库URL | 🔴 严重 |
镜像/Recipe引用中无 | 应使用 | 🟡 警告 |
当仓库或环境明确包含资源类型时,即使它不在当前已提交的清单中,也将其视为有效的自定义模式。
Radius.Data/redisCachesradius-resource-typesAudit Report Format
审计报告格式
markdown
undefinedmarkdown
undefinedApplication Audit Report
应用程序审计报告
Repository: <repo-name>
Date: <date>
Constitution Version: <version from changelog>
仓库: <repo-name>
日期: <date>
章程版本: <version from changelog>
Summary
摘要
| Severity | Count |
|---|---|
| 🔴 Critical | N |
| 🟡 Warning | N |
| 🟢 Info | N |
| ✅ Pass | N |
| 严重级别 | 数量 |
|---|---|
| 🔴 严重 | N |
| 🟡 警告 | N |
| 🟢 信息 | N |
| ✅ 通过 | N |
Findings
检查结果
🔴 Critical
🔴 严重
[C1] <Finding Title>
[C1] <检查结果标题>
- File:
path/to/file:line - Issue: Description of what's wrong
- Constitution Reference: Section N — <section title>
- Remediation: How to fix it
- 文件:
path/to/file:line - 问题: 问题描述
- 章程参考: 第N节 — <节标题>
- 修复建议: 修复方法
🟡 Warning
🟡 警告
[W1] <Finding Title>
[W1] <检查结果标题>
- File:
path/to/file:line - Issue: Description of what's wrong
- Constitution Reference: Section N — <section title>
- Remediation: How to fix it
- 文件:
path/to/file:line - 问题: 问题描述
- 章程参考: 第N节 — <节标题>
- 修复建议: 修复方法
🟢 Info
🟢 信息
[I1] <Finding Title>
[I1] <检查结果标题>
- Recommendation: Suggested improvement
- 建议: 改进建议
✅ Passing Checks
✅ 通过的检查项
- Provider compliance: ✅
- Region compliance: ✅
- Container non-root: ✅
- ...
undefined- 供应商合规性: ✅
- 区域合规性: ✅
- 容器非root用户: ✅
- ...
undefinedHow to Run an Audit
如何执行审计
When invoked, perform these steps:
-
Find the constitution:
Look for Platform-Engineering-Constitution.md in repo root or parent directories -
Scan for artifacts:bash
# Find all auditable files find . -name "*.bicep" -o -name "*.tf" -o -name "Dockerfile*" \ -o -name "*.yaml" -o -name "*.yml" -o -name "bicepconfig.json" -
Run checks by reading each file and comparing against constitution rules.
-
Check application code for health endpoints, connection handling, and secret exposure:bash
# Health endpoints grep -rn "healthz\|readyz" --include="*.go" --include="*.js" --include="*.py" # Secret patterns (flag for review) grep -rn "password\s*=\s*['\"]" --include="*.tf" --include="*.bicep" grep -rn "API_KEY\|SECRET_KEY\|PRIVATE_KEY" --include="*.go" --include="*.js" --include="*.py" # Connection handling grep -rn "CONNECTION_.*_PROPERTIES" --include="*.go" --include="*.js" --include="*.py" -
Generate the report using the format above.
调用时,执行以下步骤:
-
查找章程:
在仓库根目录或父目录中查找Platform-Engineering-Constitution.md -
扫描工件:bash
# 查找所有可审计文件 find . -name "*.bicep" -o -name "*.tf" -o -name "Dockerfile*" \\n -o -name "*.yaml" -o -name "*.yml" -o -name "bicepconfig.json" -
运行检查,读取每个文件并与章程规则进行比较。
-
检查应用程序代码中的健康检查端点、连接处理和密钥暴露情况:bash
# 健康检查端点 grep -rn "healthz\\|readyz" --include="*.go" --include="*.js" --include="*.py" # 密钥模式(标记以供审查) grep -rn "password\\s*=\\s*['\\"]" --include="*.tf" --include="*.bicep" grep -rn "API_KEY\\|SECRET_KEY\\|PRIVATE_KEY" --include="*.go" --include="*.js" --include="*.py" # 连接处理 grep -rn "CONNECTION_.*_PROPERTIES" --include="*.go" --include="*.js" --include="*.py" -
使用上述格式生成报告。
Guardrails
约束规则
- Never modify files during an audit. This skill is read-only. Only report findings and recommendations.
- Always reference the constitution section that each finding relates to.
- Be specific about file paths and line numbers in findings.
- Offer to fix issues after presenting the report, but wait for user approval.
- Don't flag style issues — only flag standards violations defined in the constitution.
- Distinguish severity accurately — Critical = security risk or hard policy violation, Warning = best practice deviation, Info = improvement opportunity.
- Acknowledge passing checks — don't just report failures. Show what's already compliant.
- If no constitution exists, tell the user and recommend using the skill to create one first.
platform-constitution
- 审计期间切勿修改文件。此技能为只读模式。仅报告检查结果和建议。
- 始终关联对应的章程章节,说明每个检查结果的依据。
- 在检查结果中明确文件路径和行号。
- 展示报告后可提供修复问题的服务,但需等待用户批准。
- 不要标记样式问题 — 仅标记章程中定义的标准违规项。
- 准确区分严重级别 — 严重=安全风险或硬性政策违规,警告=最佳实践偏差,信息=改进机会。
- 确认通过的检查项 — 不要仅报告失败项,展示已合规的内容。
- 如果不存在章程,告知用户并建议先使用技能创建一个。
platform-constitution