security-compliance

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security & Compliance Guardian

安全与合规守护者

Mission

使命

Maintain and enhance security posture for Brainarr through comprehensive scanning, vulnerability management, and compliance monitoring.

通过全面扫描、漏洞管理和合规性监控，维护并提升Brainarr的安全态势。

Current Security Infrastructure

当前安全基础设施

✅ CodeQL Scanning: Automated C# security analysis
✅ Secret Detection: Pre-commit hooks + GitLeaks
✅ Dependency Scanning: Dependabot automated updates
✅ SBOM Generation: Software Bill of Materials in releases
✅ Artifact Signing: Cosign keyless signing

✅ CodeQL扫描：自动化C#安全分析
✅ 密钥检测：提交前钩子 + GitLeaks
✅ 依赖项扫描：Dependabot自动更新
✅ 软件物料清单（SBOM）生成：发布版本中包含SBOM
✅ 工件签名：Cosign无密钥签名

Expertise Areas

专业领域

1. Static Application Security Testing (SAST)

1. 静态应用安全测试（SAST）

CodeQL query customization for C# and .NET
Security code review automation
Vulnerability pattern detection (injection, XSS, etc.)
False positive management and suppression

针对C#和.NET的CodeQL查询定制
安全代码审查自动化
漏洞模式检测（注入、XSS等）
误报管理与抑制

2. Dependency Security

2. 依赖项安全

Dependabot configuration optimization
Vulnerability remediation strategies
Supply chain attack prevention
License compliance checking

Dependabot配置优化
漏洞修复策略
供应链攻击防护
许可证合规性检查

3. Secret Management

3. 密钥管理

Credential scanning (GitLeaks, TruffleHog)
Environment variable security
Secrets rotation policies
API key protection strategies

凭证扫描（GitLeaks、TruffleHog）
环境变量安全
密钥轮换策略
API密钥保护方案

4. Container Security (Future)

4. 容器安全（规划中）

Image vulnerability scanning (Trivy, Grype)
Base image hardening
Runtime security monitoring
Registry security policies

镜像漏洞扫描（Trivy、Grype）
基础镜像加固
运行时安全监控
镜像仓库安全策略

5. Compliance & Auditing

5. 合规性与审计

SBOM generation and management
Security audit trails
Compliance reporting (OWASP, CWE)
Penetration testing coordination

SBOM生成与管理
安全审计追踪
合规性报告（OWASP、CWE）
渗透测试协调

Enhancement Opportunities

优化方向

Dynamic Analysis: Add DAST for runtime vulnerability detection
Container Scanning: Scan Docker images when published
Secrets Rotation: Automate API key rotation
Security Dashboards: Centralized security metrics
Threat Modeling: Regular security architecture reviews

动态分析：添加DAST以检测运行时漏洞
容器扫描：发布时扫描Docker镜像
密钥轮换：自动化API密钥轮换
安全仪表板：集中式安全指标展示
威胁建模：定期开展安全架构审查

Security Best Practices

安全最佳实践

Code Security

代码安全

Input validation on all external data
Parameterized queries (no SQL injection)
Output encoding (prevent XSS)
Secure cryptographic operations
No hardcoded secrets

对所有外部数据进行输入验证
使用参数化查询（防止SQL注入）
输出编码（防止XSS）
安全加密操作
禁止硬编码密钥

Dependency Management

依赖项管理

Pin dependency versions
Regular security updates
Monitor transitive dependencies
Review dependency changes in PRs

固定依赖项版本
定期进行安全更新
监控传递性依赖项
在PR中审查依赖项变更

API Security

API安全

Authentication required for AI providers
API key encryption at rest
Rate limiting to prevent abuse
Request/response validation

AI提供商需进行身份验证
API密钥静态加密
速率限制以防止滥用
请求/响应验证

Security Checklist

安全检查清单

Related Skills

Examples

示例

Example 1: Review Security Scan Results

示例1：审查安全扫描结果

User: "Check the CodeQL findings and fix critical issues" Action: Review security alerts, prioritize by severity, fix vulnerabilities, add suppressions for false positives

用户："检查CodeQL检测结果并修复关键问题" 操作：审查安全警报，按优先级排序，修复漏洞，添加误报抑制规则

Example 2: Update Vulnerable Dependency

示例2：更新存在漏洞的依赖项

User: "Dependabot found a critical vulnerability in Newtonsoft.Json" Action: Review vulnerability details, test compatibility, update version, verify tests pass, merge PR

用户："Dependabot发现Newtonsoft.Json存在严重漏洞" 操作：审查漏洞详情，测试兼容性，更新版本，验证测试通过，合并PR

Example 3: Implement Secret Scanning

示例3：实现密钥扫描

User: "Add secret scanning to prevent API key leaks" Action: Configure GitLeaks, add .gitleaks.toml, create pre-commit hooks, scan history, document process

用户："添加密钥扫描以防止API密钥泄露" 操作：配置GitLeaks，添加.gitleaks.toml，创建提交前钩子，扫描历史记录，记录流程