Back to Details

vulnerability-scanning

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Vulnerability Scanning

漏洞扫描

Automate security vulnerability detection across code, dependencies, and containers.
自动检测代码、依赖和容器中的安全漏洞。

Dependency Scanning

依赖扫描

bash
undefined
bash
undefined

npm audit

npm audit

npm audit --audit-level=high
npm audit --audit-level=high

Snyk

Snyk

snyk test --severity-threshold=high
snyk test --severity-threshold=high

Safety (Python)

Safety (Python)

safety check --full-report
undefined
safety check --full-report
undefined

Container Scanning (Trivy)

容器扫描(Trivy)

bash
undefined
bash
undefined

Scan container image

Scan container image

trivy image myapp:latest --severity HIGH,CRITICAL
trivy image myapp:latest --severity HIGH,CRITICAL

Scan filesystem

Scan filesystem

trivy fs --scanners vuln,secret .
undefined
trivy fs --scanners vuln,secret .
undefined

GitHub Actions Integration

GitHub Actions 集成

yaml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high
yaml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high

Code Analysis (Bandit for Python)

代码分析(Python 用 Bandit)

bash
bandit -r src/ -ll -ii
bash
bandit -r src/ -ll -ii

Node.js Scanner

Node.js 扫描器

javascript
const { execSync } = require('child_process');

function runSecurityScan() {
  const results = {
    npm: JSON.parse(execSync('npm audit --json').toString()),
    trivy: JSON.parse(execSync('trivy fs --format json .').toString())
  };

  const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
  if (critical > 0) {
    console.error(`Found ${critical} critical vulnerabilities`);
    process.exit(1);
  }
}
javascript
const { execSync } = require('child_process');

function runSecurityScan() {
  const results = {
    npm: JSON.parse(execSync('npm audit --json').toString()),
    trivy: JSON.parse(execSync('trivy fs --format json .').toString())
  };

  const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
  if (critical > 0) {
    console.error(`Found ${critical} critical vulnerabilities`);
    process.exit(1);
  }
}

Best Practices

最佳实践

  • Integrate scanning in CI/CD pipeline
  • Fail builds on high/critical findings
  • Scan dependencies and containers
  • Track vulnerabilities over time
  • Document accepted false positives
  • 将扫描集成到CI/CD流水线中
  • 发现高危/严重漏洞时终止构建
  • 扫描依赖和容器
  • 持续跟踪漏洞情况
  • 记录已接受的误报结果

Tools

工具

  • Trivy (containers, filesystem)
  • Snyk (dependencies, code)
  • npm audit / yarn audit
  • Bandit (Python)
  • OWASP Dependency-Check
  • Trivy(容器、文件系统)
  • Snyk(依赖、代码)
  • npm audit / yarn audit
  • Bandit(Python)
  • OWASP Dependency-Check