secure-at-inception

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Secure At Inception

源头安全防护

Proactively scan all newly generated or modified code to prevent security vulnerabilities before they enter the codebase. Provides intelligent scanning decisions, caching, and filtering to focus only on NEW issues.

主动扫描所有新生成或修改的代码，在漏洞进入代码库前就将其拦截。提供智能扫描决策、缓存和过滤功能，仅聚焦新问题。

File Type → Scan Type Reference

文件类型→扫描类型参考表

Scan Type Trigger Files MCP Tool

SAST (Code)

Scan Type	Trigger Files	MCP Tool
SAST (Code)	Source files: `.js` , `.ts` , `.py` , `.java` , `.go` , `.rb` , `.php` , `.cs` , `.swift` , `.kt` , `.scala` , `.rs` , `.c` , `.cpp` , `.dart` , and more	`snyk_code_scan`
SCA (Dependencies)	Manifests: `package.json` , `requirements.txt` , `pom.xml` , `build.gradle` , `Gemfile` , `go.mod` , `Cargo.toml` , `*.csproj` , `composer.json` , and more	`snyk_sca_scan`
IaC	Infrastructure: `.tf` , `.tfvars` , K8s YAML (with `apiVersion` / `kind` ), `template.json` / `.yaml` , ARM JSON, `serverless.yml`	`snyk_iac_scan`

Source files:

.js

.ts

.py

.java

.go

.rb

.php

.cs

.swift

.kt

.scala

.rs

.c

.cpp

.dart

, and more

snyk_code_scan

SCA (Dependencies)

Manifests:

package.json

requirements.txt

pom.xml

build.gradle

Gemfile

go.mod

Cargo.toml

*.csproj

composer.json

, and more

snyk_sca_scan

IaC

Infrastructure:

.tf

.tfvars

, K8s YAML (with

apiVersion

kind

template.json

.yaml

, ARM JSON,

serverless.yml

snyk_iac_scan

Skip: binary files, non-IaC JSON/YAML, documentation (

.md

.txt

.rst

), assets, test fixtures.

扫描类型	触发文件	MCP工具
SAST（代码扫描）	源代码文件： `.js` 、 `.ts` 、 `.py` 、 `.java` 、 `.go` 、 `.rb` 、 `.php` 、 `.cs` 、 `.swift` 、 `.kt` 、 `.scala` 、 `.rs` 、 `.c` 、 `.cpp` 、 `.dart` 等	`snyk_code_scan`
SCA（依赖扫描）	清单文件： `package.json` 、 `requirements.txt` 、 `pom.xml` 、 `build.gradle` 、 `Gemfile` 、 `go.mod` 、 `Cargo.toml` 、 `*.csproj` 、 `composer.json` 等	`snyk_sca_scan`
IaC	基础设施文件： `.tf` 、 `.tfvars` 、K8s YAML（包含 `apiVersion` / `kind` ）、 `template.json` / `.yaml` 、ARM JSON、 `serverless.yml`	`snyk_iac_scan`

跳过扫描：二进制文件、非IaC格式的JSON/YAML、文档（

.md

、

.txt

、

.rst

）、资源文件、测试用例。

Phase 1: Change Detection

阶段1：变更检测

Step 1.1: Gather Changed Files

步骤1.1：收集变更文件

Check for changes using one of these methods (in order of preference):

Git diff (if in a git repo):

bash

git diff --name-only HEAD
git diff --name-only --cached  # staged files
git status --porcelain

Session context: Track files created/modified during the current session
User-specified path: If user provides a specific file or directory

通过以下方法（按优先级排序）检查变更：

Git diff（若处于Git仓库中）：

bash

git diff --name-only HEAD
git diff --name-only --cached  # 已暂存文件
git status --porcelain

会话上下文：追踪当前会话中创建/修改的文件
用户指定路径：若用户提供了特定文件或目录

Step 1.2: Categorize Files by Scan Type

步骤1.2：按扫描类型分类文件

Use the File Type → Scan Type Reference table above to map each changed file to the appropriate scan. IaC YAML is distinguished from generic YAML by the presence of

apiVersion

kind

(Kubernetes) or

AWSTemplateFormatVersion

(CloudFormation).

使用上述“文件类型→扫描类型参考表”，将每个变更文件映射到对应的扫描类型。IaC YAML与通用YAML的区别在于是否包含

apiVersion

kind

（Kubernetes）或

AWSTemplateFormatVersion

（CloudFormation）字段。

Phase 2: Execute Scans

阶段2：执行扫描

Run SAST, SCA, and IaC scans in parallel — they are independent of each other. Use the parameters below for each applicable scan type (determined by the File Type → Scan Type Reference table).

并行运行SAST、SCA和IaC扫描——三者相互独立。根据“文件类型→扫描类型参考表”确定适用的扫描类型，并使用以下参数执行扫描。

Step 2.1: SAST Scan (

snyk_code_scan

)

步骤2.1：SAST扫描（

snyk_code_scan

）

```
path
```
: directory containing changed source files (or project root); scan each file individually if < 5 files changed, otherwise scan the parent directory
```
severity_threshold
```
:
```
"medium"
```
(default) or as configured

```
path
```
：包含变更源代码的目录（或项目根目录）；若变更文件少于5个则单独扫描每个文件，否则扫描父目录
```
severity_threshold
```
：
```
"medium"
```
（默认）或自定义配置值

Step 2.2: SCA Scan (

snyk_sca_scan

)

步骤2.2：SCA扫描（

snyk_sca_scan

）

```
path
```
: project root or directory containing the manifest
```
all_projects
```
:
```
true
```
(for monorepos)
```
severity_threshold
```
:
```
"medium"
```
(default) or as configured
Note: SCA scans the entire dependency tree, not just direct changes.

```
path
```
：项目根目录或包含清单文件的目录
```
all_projects
```
：
```
true
```
（适用于单体仓库）
```
severity_threshold
```
：
```
"medium"
```
（默认）或自定义配置值
注意：SCA扫描整个依赖树，而非仅直接变更的依赖。

Step 2.3: IaC Scan (

snyk_iac_scan

)

步骤2.3：IaC扫描（

snyk_iac_scan

）

```
path
```
: directory containing IaC files
```
severity_threshold
```
:
```
"medium"
```
(default) or as configured

```
path
```
：包含IaC文件的目录
```
severity_threshold
```
：
```
"medium"
```
（默认）或自定义配置值

Phase 3: Filter to New Issues

阶段3：过滤新问题

Apply these filters before reporting to surface only issues introduced by the current changes.

SAST: Include a finding only if its file+line falls within a modified line range from

git diff -U0

. Parse

@@ -X,Y +A,B @@

hunks to determine changed ranges; exclude findings outside those ranges as pre-existing.

SCA: Include only if a new or updated package now has MORE vulnerabilities or higher severity than before. Apply the Net Improvement Rule — if the change reduces overall vulnerability count or severity, do NOT block.

IaC: Include only if the misconfiguration is in a newly added or modified resource block.

在报告前应用以下过滤规则，仅展示当前变更引入的问题。

SAST：仅当发现问题的文件+行号落在

git diff -U0

输出的修改行范围内时，才纳入结果。解析

@@ -X,Y +A,B @@

代码块确定变更范围；排除该范围外的预存在问题。

SCA：仅当新增或更新的包出现更多漏洞或更高严重级别的漏洞时才纳入结果。应用净改进规则——若变更减少了整体漏洞数量或降低了严重级别，则不阻止提交。

IaC：仅当配置错误存在于新增或修改的资源块中时才纳入结果。

Phase 4: Report & Decision

阶段4：报告与决策

Step 4.1: Severity Threshold Configuration

步骤4.1：严重级别阈值配置

Mode	Block On	Warn On	Allow
Strict	Low+	-	-
Standard	High+	Medium	Low
Relaxed	Critical only	High	Medium, Low

模式	阻止条件	警告条件	允许条件
严格模式	低及以上级别	-	-
标准模式	高及以上级别	中级别	低级别
宽松模式	仅严重级别	高级别	中、低级别

Step 4.2: Generate Report

步骤4.2：生成报告

undefined

undefined