security-ownership-map
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Ownership Map
安全所有权图谱
Overview
概述
Build a bipartite graph of people and files from git history, then compute ownership risk and export graph artifacts for Neo4j/Gephi. Also build a file co-change graph (Jaccard similarity on shared commits) to cluster files by how they move together while ignoring large, noisy commits.
基于Git历史构建人员与文件的二分图,随后计算所有权风险并导出图谱工件用于Neo4j/Gephi。同时构建文件共变更图谱(基于共享提交的Jaccard相似度),将文件按关联变更情况聚类,同时忽略大型、噪声较多的提交。
Requirements
环境要求
- Python 3
- (required; community detection is enabled by default)
networkx
Install with:
bash
pip install networkx- Python 3
- (必填;默认启用社区检测功能)
networkx
安装命令:
bash
pip install networkxWorkflow
工作流程
- Scope the repo and time window (optional ).
--since/--until - Decide sensitivity rules (use defaults or provide a CSV config).
- Build the ownership map with (co-change graph is on by default; use
scripts/run_ownership_map.pyto ignore supernode commits).--cochange-max-files - Communities are computed by default; graphml output is optional ().
--graphml - Query the outputs with for bounded JSON slices.
scripts/query_ownership.py - Persist and visualize (see ).
references/neo4j-import.md
By default, the co-change graph ignores common “glue” files (lockfiles, , editor config) so clusters reflect actual code movement instead of shared infra edits. Override with or . Dependabot commits are excluded by default; override with or add patterns via .
.github/*--cochange-exclude--no-default-cochange-excludes--no-default-author-excludes--author-exclude-regexIf you want to exclude Linux build glue like from co-change clustering, pass:
Kbuildbash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo /path/to/linux \
--out ownership-map-out \
--cochange-exclude "**/Kbuild"- 确定仓库范围和时间窗口(可选参数)。
--since/--until - 确定敏感度规则(使用默认规则或提供CSV配置文件)。
- 运行构建所有权图谱(默认启用共变更图谱;使用
scripts/run_ownership_map.py忽略包含超多数目文件的提交)。--cochange-max-files - 默认会计算社区;可选生成graphml格式输出(使用参数)。
--graphml - 运行查询输出结果,获取限定范围的JSON切片。
scripts/query_ownership.py - 持久化存储并进行可视化(参考)。
references/neo4j-import.md
默认情况下,共变更图谱会忽略常见的“粘合类”文件(锁文件、、编辑器配置文件),因此聚类结果能反映代码的实际变更关联,而非基础设施文件的共享编辑。可通过或参数覆盖默认设置。默认会排除Dependabot提交;可通过参数取消该设置,或使用添加自定义排除规则。
.github/*--cochange-exclude--no-default-cochange-excludes--no-default-author-excludes--author-exclude-regex若要在共变更聚类中排除类似的Linux构建粘合文件,可执行以下命令:
Kbuildbash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo /path/to/linux \
--out ownership-map-out \
--cochange-exclude "**/Kbuild"Quick start
快速开始
Run from the repo root:
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--since "12 months ago" \
--emit-commitsDefaults: author identity, author date, and merge commits excluded. Use , , or if needed.
--identity committer--date-field committer--include-mergesExample (override co-change excludes):
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--cochange-exclude "**/Cargo.lock" \
--cochange-exclude "**/.github/**" \
--no-default-cochange-excludesCommunities are computed by default. To disable:
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--no-communities在仓库根目录执行以下命令:
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--since "12 months ago" \
--emit-commits默认设置:基于作者身份、作者日期统计,且排除合并提交。若需调整,可使用、或参数。
--identity committer--date-field committer--include-merges示例(覆盖共变更排除规则):
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--cochange-exclude "**/Cargo.lock" \
--cochange-exclude "**/.github/**" \
--no-default-cochange-excludes默认会计算社区。若要禁用该功能:
bash
python skills/skills/security-ownership-map/scripts/run_ownership_map.py \
--repo . \
--out ownership-map-out \
--no-communitiesSensitivity rules
敏感度规则
By default, the script flags common auth/crypto/secret paths. Override by providing a CSV file:
undefined默认情况下,脚本会标记常见的认证/加密/密钥相关路径。可通过提供CSV配置文件覆盖默认规则:
undefinedpattern,tag,weight
pattern,tag,weight
/auth/,auth,1.0
/crypto/,crypto,1.0
**/*.pem,secrets,1.0
Use it with `--sensitive-config path/to/sensitive.csv`./auth/,auth,1.0
/crypto/,crypto,1.0
**/*.pem,secrets,1.0
使用时添加参数`--sensitive-config path/to/sensitive.csv`。Output artifacts
输出工件
ownership-map-out/- (nodes: people)
people.csv - (nodes: files)
files.csv - (edges: touches)
edges.csv - (file-to-file co-change edges with Jaccard weight; omitted with
cochange_edges.csv)--no-cochange - (security ownership findings)
summary.json - (optional, if
commits.jsonl)--emit-commits - (computed by default from co-change edges when available; includes
communities.jsonper community; disable withmaintainers)--no-communities - (NetworkX node-link JSON with
cochange.graph.json+community_id; falls back tocommunity_maintainersif no co-change edges)ownership.graph.json - /
ownership.graphml(optional, ifcochange.graphml)--graphml
people.csvprimary_tz_offsetprimary_tz_minutestimezone_offsetsownership-map-out/- (节点:人员)
people.csv - (节点:文件)
files.csv - (边:关联记录)
edges.csv - (文件间共变更边,带Jaccard权重;使用
cochange_edges.csv参数时会省略)--no-cochange - (安全所有权分析结果)
summary.json - (可选,添加
commits.jsonl参数时生成)--emit-commits - (默认基于共变更边计算;包含每个社区的
communities.json信息;使用maintainers参数可禁用)--no-communities - (NetworkX节点-链接格式JSON,包含
cochange.graph.json和community_id;若无共变更边则 fallback 到community_maintainers)ownership.graph.json - /
ownership.graphml(可选,添加cochange.graphml参数时生成)--graphml
people.csvprimary_tz_offsetprimary_tz_minutestimezone_offsetsLLM query helper
LLM 查询辅助工具
Use to return small, JSON-bounded slices without loading the full graph into context.
scripts/query_ownership.pyExamples:
bash
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out people --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag auth --bus-factor-max 1
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out person --person alice@corp --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out file --file crypto/tls
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out cochange --file crypto/tls --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section orphaned_sensitive_code
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out community --id 3Use (default) to control how many maintainers are stored per community.
--community-top-owners 5使用可返回小范围、限定格式的JSON切片,无需将整个图谱加载到上下文环境中。
scripts/query_ownership.py示例:
bash
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out people --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag auth --bus-factor-max 1
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out person --person alice@corp --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out file --file crypto/tls
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out cochange --file crypto/tls --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section orphaned_sensitive_code
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out community --id 3可使用(默认值)控制每个社区存储的维护人员数量。
--community-top-owners 5Basic security queries
基础安全查询
Run these to answer common security ownership questions with bounded output:
bash
undefined执行以下命令可获取常见安全所有权问题的限定格式结果:
bash
undefinedOrphaned sensitive code (stale + low bus factor)
孤立敏感代码(已过时且总线因子低)
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section orphaned_sensitive_code
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section orphaned_sensitive_code
Hidden owners for sensitive tags
敏感代码的隐藏所有者
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section hidden_owners
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section hidden_owners
Sensitive hotspots with low bus factor
总线因子低的敏感代码热点
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section bus_factor_hotspots
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out summary --section bus_factor_hotspots
Auth/crypto files with bus factor <= 1
总线因子 ≤1 的认证/加密文件
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag auth --bus-factor-max 1
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag crypto --bus-factor-max 1
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag auth --bus-factor-max 1
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out files --tag crypto --bus-factor-max 1
Who is touching sensitive code the most
处理敏感代码最多的人员
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out people --sort sensitive_touches --limit 10
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out people --sort sensitive_touches --limit 10
Co-change neighbors (cluster hints for ownership drift)
共变更关联文件(所有权漂移的集群提示)
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out cochange --file path/to/file --min-jaccard 0.05 --limit 20
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out cochange --file path/to/file --min-jaccard 0.05 --limit 20
Community maintainers (for a cluster)
社区维护人员(针对特定集群)
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out community --id 3
python skills/skills/security-ownership-map/scripts/query_ownership.py --data-dir ownership-map-out community --id 3
Monthly maintainers for the community containing a file
包含指定文件的社区月度维护人员
python skills/skills/security-ownership-map/scripts/community_maintainers.py
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--top 5
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--top 5
python skills/skills/security-ownership-map/scripts/community_maintainers.py
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--top 5
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--top 5
Quarterly buckets instead of monthly
按季度分组而非月度
python skills/skills/security-ownership-map/scripts/community_maintainers.py
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--bucket quarter
--top 5
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--bucket quarter
--top 5
Notes:
- Touches default to one authored commit (not per-file). Use `--touch-mode file` to count per-file touches.
- Use `--window-days 90` or `--weight recency --half-life-days 180` to smooth churn.
- Filter bots with `--ignore-author-regex '(bot|dependabot)'`.
- Use `--min-share 0.1` to show stable maintainers only.
- Use `--bucket quarter` for calendar quarter groupings.
- Use `--identity committer` or `--date-field committer` to switch from author attribution.
- Use `--include-merges` to include merge commits (excluded by default).python skills/skills/security-ownership-map/scripts/community_maintainers.py
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--bucket quarter
--top 5
--data-dir ownership-map-out
--file network/card.c
--since 2025-01-01
--bucket quarter
--top 5
注意事项:
- 默认情况下,“关联记录(touches)”按作者提交次数统计(而非按文件统计)。使用`--touch-mode file`参数可改为按文件统计关联次数。
- 使用`--window-days 90`或`--weight recency --half-life-days 180`参数可平滑人员变动情况。
- 使用`--ignore-author-regex '(bot|dependabot)'`参数过滤机器人提交。
- 使用`--min-share 0.1`参数仅显示稳定维护人员。
- 使用`--bucket quarter`参数按自然季度分组。
- 使用`--identity committer`或`--date-field committer`参数切换为基于提交者的归因统计。
- 使用`--include-merges`参数可包含合并提交(默认排除)。Summary format (default)
默认摘要格式
Use this structure, add fields if needed:
json
{
"orphaned_sensitive_code": [
{
"path": "crypto/tls/handshake.rs",
"last_security_touch": "2023-03-12T18:10:04+00:00",
"bus_factor": 1
}
],
"hidden_owners": [
{
"person": "alice@corp",
"controls": "63% of auth code"
}
]
}采用以下结构,可按需添加字段:
json
{
"orphaned_sensitive_code": [
{
"path": "crypto/tls/handshake.rs",
"last_security_touch": "2023-03-12T18:10:04+00:00",
"bus_factor": 1
}
],
"hidden_owners": [
{
"person": "alice@corp",
"controls": "63% of auth code"
}
]
}Graph persistence
图谱持久化
Use when you need to load the CSVs into Neo4j. It includes constraints, import Cypher, and visualization tips.
references/neo4j-import.md如需将CSV文件导入Neo4j,可参考,其中包含约束配置、导入Cypher语句及可视化技巧。
references/neo4j-import.mdNotes
注意事项
- in
bus_factor_hotspotslists sensitive files with low bus factor;summary.jsonis the stale subset.orphaned_sensitive_code - If is too large, narrow with
git logor--since.--until - Compare against CODEOWNERS to highlight ownership drift.
summary.json
- 中的
summary.json列出总线因子低的敏感文件;bus_factor_hotspots是其中已过时的子集。orphaned_sensitive_code - 若输出过大,可通过
git log或--since参数缩小范围。--until - 将与CODEOWNERS对比,可突出显示所有权漂移情况。
summary.json