Back to Details

security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Audit

安全审计

Systematic security review for application code, dependencies, and configuration.
Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.
针对应用代码、依赖项和配置的系统化安全审查。
不可替代专业渗透测试。 仅识别代码审查范围内的常见漏洞。

Audit Types

审计类型

TypeFocusWhen to Use
Code ReviewOWASP Top 10, injection, authNew features, PRs, suspicious code
DependencyCVEs, outdated packagesBefore deploy, periodic, CI/CD
ConfigurationSecrets, permissions, hardeningInfrastructure changes, new envs
ArchitectureAttack surface, data flowDesign phase, major refactors
API SecurityAuth, authz, rate limitingNew endpoints, public APIs
类型关注重点使用场景
代码审查OWASP Top 10、注入、身份验证新功能、PR、可疑代码
依赖审计CVE、过期依赖包部署前、定期检查、CI/CD流程中
配置审计密钥、权限、安全加固基础设施变更、新环境部署
架构审计攻击面、数据流设计阶段、重大重构
API安全身份认证、授权、限流新增端点、公开API

When NOT to Use

不适用场景

  • Designing new auth flows — Use 
    api-design
    for designing OAuth2/JWT endpoints from scratch
  • Performance issues — Use 
    performance-optimization
    even if caused by auth overhead
  • CI/CD pipeline security — Use 
    ci-cd
    for pipeline hardening (secret management, permissions)
  • 设计新的身份验证流程 —— 从零设计OAuth2/JWT端点请使用
    api-design
  • 性能问题 —— 即便是由身份验证开销导致的性能问题也请使用
    performance-optimization
  • CI/CD流水线安全 —— 流水线加固(密钥管理、权限)请使用
    ci-cd

Key Principles

核心原则

  • Scope first — Define audit area, depth, and constraints before scanning
  • Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)
  • Remediate or track — Fix critical issues immediately, create ohno tasks for the rest
  • No secrets in code — Scan for hardcoded credentials, API keys, connection strings
  • 先确定范围 —— 扫描前先定义审计区域、深度和限制条件
  • 严重等级分类 —— 严重(24-48小时修复)、高(1周)、中(2-4周)、低(待办)
  • 修复或跟踪 —— 立即修复严重问题,其余问题创建ohno任务跟踪
  • 代码中禁止存放密钥 —— 扫描硬编码凭证、API密钥、连接字符串

Quick Start Checklist

快速入门检查清单

  1. Define audit scope and type (code, dependency, config, architecture, API)
  2. Run automated scans (npm audit, grep patterns, secret detection)
  3. Review findings and classify severity using decision tree in references
  4. Remediate critical/high findings immediately
  5. Create ohno tasks for medium/low findings with appropriate priority
  6. Document findings in audit report
  1. 定义审计范围和类型(代码、依赖、配置、架构、API)
  2. 运行自动化扫描(npm audit、grep模式匹配、密钥检测)
  3. 查看扫描结果,参考参考文档中的决策树对严重等级进行分类
  4. 立即修复严重/高优先级问题
  5. 为中/低优先级问题创建对应优先级的ohno任务
  6. 在审计报告中记录所有发现

References

参考文档

ReferenceDescription
owasp-top-10.mdOWASP vulnerabilities with detection and fixes
dependency-security.mdnpm audit, pip-audit, Snyk, CI/CD integration
auth-patterns.mdSecure authentication and authorization patterns
api-security.mdAPI-specific security concerns
secrets-management.mdHandling sensitive configuration
参考链接描述
owasp-top-10.md包含检测和修复方案的OWASP漏洞说明
dependency-security.mdnpm audit、pip-audit、Snyk、CI/CD集成相关说明
auth-patterns.md安全的身份验证与授权模式
api-security.mdAPI专属安全问题说明
secrets-management.md敏感配置处理说明