security-audit

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

security-audit

安全审计

Description: Security requirements validation, vulnerability assessment, and compliance checking

Category: Security & Compliance

Complexity: High (multi-layer security analysis)

描述: 安全需求验证、漏洞评估与合规性检查

分类: 安全与合规

复杂度: 高（多层安全分析）

Purpose

目标

Ensure security requirements are properly defined, implemented, and tested. Identify vulnerabilities across code, dependencies, infrastructure, and configurations. Validate compliance with security standards and best practices.

确保安全需求得到恰当的定义、实现与测试。识别代码、依赖项、基础设施及配置中的漏洞。验证是否符合安全标准与最佳实践。

Capabilities

能力范围

1. Security Requirements Validation

1. 安全需求验证

Validate security requirements from REQ documents
Check completeness of security specifications
Verify authentication/authorization requirements
Validate data protection requirements
Check encryption specifications

验证REQ文档中的安全需求
检查安全规范的完整性
验证身份认证/授权需求
验证数据保护需求
检查加密规范

2. Code Security Scanning

2. 代码安全扫描

SAST (Static Application Security Testing): bandit, semgrep
Dependency scanning: safety, pip-audit
Secret detection: detect-secrets, gitleaks
SQL injection detection: Pattern matching
XSS vulnerability detection: Input validation analysis
CSRF protection: Token validation checking

SAST（静态应用安全测试）: bandit、semgrep
依赖项扫描: safety、pip-audit
敏感信息检测: detect-secrets、gitleaks
SQL注入检测: 模式匹配
XSS漏洞检测: 输入验证分析
CSRF防护: Token验证检查

3. Infrastructure Security

3. 基础设施安全

IaC security scanning: checkov, tfsec
Container security: trivy, grype
Kubernetes security: kubesec, kube-bench
Cloud configuration: AWS Security Hub, Azure Security Center
Network security: Firewall rules, security groups

IaC安全扫描: checkov、tfsec
容器安全: trivy、grype
Kubernetes安全: kubesec、kube-bench
云配置: AWS Security Hub、Azure Security Center
网络安全: 防火墙规则、安全组

4. Dependency Vulnerability Assessment

4. 依赖项漏洞评估

Known CVE detection
License compliance
Outdated package identification
Transitive dependency analysis
Vulnerability severity scoring (CVSS)

已知CVE检测
许可证合规性
过时包识别
传递依赖项分析
漏洞严重程度评分（CVSS）

5. Authentication & Authorization

5. 身份认证与授权

JWT implementation validation
Password policy enforcement
Session management review
OAuth/OIDC configuration
Role-based access control (RBAC)

JWT实现验证
密码策略强制执行
会话管理审查
OAuth/OIDC配置
基于角色的访问控制（RBAC）

6. Data Protection

6. 数据保护

Encryption at rest validation
Encryption in transit (TLS/SSL)
PII/sensitive data handling
Data retention policies
Backup security

静态数据加密验证
传输中加密（TLS/SSL）
PII/敏感数据处理
数据保留策略
备份安全

7. Compliance Checking

7. 合规性检查

OWASP Top 10 coverage
CWE mapping
GDPR compliance (data protection)
HIPAA compliance (healthcare)
SOC 2 requirements
PCI DSS (payment card data)

OWASP Top 10覆盖情况
CWE映射
GDPR合规性（数据保护）
HIPAA合规性（医疗保健）
SOC 2要求
PCI DSS（支付卡数据）

8. Threat Modeling

8. 威胁建模

STRIDE analysis
Attack surface mapping
Data flow diagrams
Trust boundary identification
Threat scenario generation

STRIDE分析
攻击面映射
数据流图
信任边界识别
威胁场景生成

Security Audit Workflow

安全审计工作流

mermaid

graph TD
    A[Security Audit] --> B[Requirements Analysis]
    B --> C{Security REQs Complete?}
    C -->|No| D[Flag Missing Requirements]
    C -->|Yes| E[Code Security Scan]

    E --> F[SAST Analysis]
    F --> G[Dependency Scan]
    G --> H[Secret Detection]

    H --> I{Critical Issues?}
    I -->|Yes| J[Block Deployment]
    I -->|No| K[Infrastructure Scan]

    K --> L[IaC Security]
    L --> M[Container Security]
    M --> N[Cloud Config Review]

    N --> O{Security Violations?}
    O -->|Yes| P[Generate Remediation Plan]
    O -->|No| Q[Compliance Check]

    Q --> R{Compliant?}
    R -->|No| S[Flag Compliance Gaps]
    R -->|Yes| T[Threat Modeling]

    T --> U[Identify Threats]
    U --> V[Risk Assessment]
    V --> W[Generate Security Report]

    D --> W
    J --> W
    P --> W
    S --> W

mermaid

graph TD
    A[Security Audit] --> B[Requirements Analysis]
    B --> C{Security REQs Complete?}
    C -->|No| D[Flag Missing Requirements]
    C -->|Yes| E[Code Security Scan]

    E --> F[SAST Analysis]
    F --> G[Dependency Scan]
    G --> H[Secret Detection]

    H --> I{Critical Issues?}
    I -->|Yes| J[Block Deployment]
    I -->|No| K[Infrastructure Scan]

    K --> L[IaC Security]
    L --> M[Container Security]
    M --> N[Cloud Config Review]

    N --> O{Security Violations?}
    O -->|Yes| P[Generate Remediation Plan]
    O -->|No| Q[Compliance Check]

    Q --> R{Compliant?}
    R -->|No| S[Flag Compliance Gaps]
    R -->|Yes| T[Threat Modeling]

    T --> U[Identify Threats]
    U --> V[Risk Assessment]
    V --> W[Generate Security Report]

    D --> W
    J --> W
    P --> W
    S --> W

Usage Instructions

使用说明

Comprehensive Security Audit

全面安全审计

bash

security-audit full-audit \
  --requirements reqs/ \
  --code src/ \
  --infrastructure infrastructure/ \
  --output reports/security/

Output:

=== Security Audit Report ===
Date: 2025-01-15
Scope: Full system audit

Overall Security Score: 72/100 (Acceptable)

CRITICAL ISSUES (2):
1. [CWE-89] SQL Injection vulnerability
   - File: src/api/users.py:145
   - Description: Direct string concatenation in SQL query
   - CVSS Score: 9.8 (Critical)
   - Fix: Use parameterized queries
   - Status: BLOCKS DEPLOYMENT ❌

2. [CWE-798] Hardcoded credentials
   - File: src/config.py:23
   - Description: Database password hardcoded in source
   - CVSS Score: 9.1 (Critical)
   - Fix: Use environment variables or secrets manager
   - Status: BLOCKS DEPLOYMENT ❌

HIGH SEVERITY (5):
3. [CWE-200] Information exposure
   - File: src/api/error_handler.py:67
   - Description: Stack traces exposed in API responses
   - CVSS Score: 7.5 (High)
   - Fix: Return generic error messages in production

4. [CVE-2023-12345] Vulnerable dependency
   - Package: requests==2.25.0
   - Vulnerability: Authentication bypass
   - CVSS Score: 8.2 (High)
   - Fix: Upgrade to requests>=2.31.0

5. [CWE-352] Missing CSRF protection
   - File: src/api/forms.py
   - Description: No CSRF tokens on state-changing operations
   - CVSS Score: 8.8 (High)
   - Fix: Implement CSRF token validation

6. [CWE-862] Missing authorization
   - File: src/api/admin.py:89
   - Description: Admin endpoint lacks authorization check
   - CVSS Score: 7.5 (High)
   - Fix: Add @require_admin decorator

7. [Container] Running as root
   - File: Dockerfile:15
   - Description: Container runs with root privileges
   - CVSS Score: 7.0 (High)
   - Fix: Create and use non-root user

MEDIUM SEVERITY (12):
... (abbreviated)

LOW SEVERITY (23):
... (abbreviated)

COMPLIANCE STATUS:
✓ OWASP Top 10: 8/10 covered
✗ SQL Injection: Not protected (A03:2021)
✗ Broken Access Control: Partial (A01:2021)
✓ Encryption: TLS 1.3 enforced
✓ Authentication: JWT properly implemented
⚠ Authorization: Missing in 3 endpoints

RECOMMENDATIONS:
1. Fix 2 critical issues immediately (block deployment)
2. Upgrade vulnerable dependencies
3. Implement CSRF protection
4. Add authorization checks to all admin endpoints
5. Review and fix information exposure
6. Container security hardening

NEXT STEPS:
1. Create remediation tickets for all HIGH+ issues
2. Schedule dependency updates
3. Conduct penetration testing after fixes
4. Re-audit in 2 weeks

bash

security-audit full-audit \
  --requirements reqs/ \
  --code src/ \
  --infrastructure infrastructure/ \
  --output reports/security/

输出:

=== 安全审计报告 ===
日期: 2025-01-15
范围: 全系统审计

整体安全评分: 72/100（可接受）

严重问题 (2):
1. [CWE-89] SQL注入漏洞
   - 文件: src/api/users.py:145
   - 描述: SQL查询中直接拼接字符串
   - CVSS评分: 9.8（严重）
   - 修复方案: 使用参数化查询
   - 状态: 阻止部署 ❌

2. [CWE-798] 硬编码凭据
   - 文件: src/config.py:23
   - 描述: 数据库密码硬编码在源码中
   - CVSS评分: 9.1（严重）
   - 修复方案: 使用环境变量或密钥管理器
   - 状态: 阻止部署 ❌

高风险问题 (5):
3. [CWE-200] 信息泄露
   - 文件: src/api/error_handler.py:67
   - 描述: API响应中暴露堆栈跟踪
   - CVSS评分: 7.5（高）
   - 修复方案: 生产环境返回通用错误信息

4. [CVE-2023-12345] 存在漏洞的依赖项
   - 包: requests==2.25.0
   - 漏洞: 身份认证绕过
   - CVSS评分: 8.2（高）
   - 修复方案: 升级至requests>=2.31.0

5. [CWE-352] 缺失CSRF防护
   - 文件: src/api/forms.py
   - 描述: 状态变更操作未使用CSRF令牌
   - CVSS评分: 8.8（高）
   - 修复方案: 实现CSRF令牌验证

6. [CWE-862] 缺失授权检查
   - 文件: src/api/admin.py:89
   - 描述: 管理员端点缺少授权检查
   - CVSS评分: 7.5（高）
   - 修复方案: 添加@require_admin装饰器

7. [容器] 以root用户运行
   - 文件: Dockerfile:15
   - 描述: 容器以root权限运行
   - CVSS评分: 7.0（高）
   - 修复方案: 创建并使用非root用户

中风险问题 (12):
...（省略）

低风险问题 (23):
...（省略）

合规状态:
✓ OWASP Top 10: 覆盖8/10项
✗ SQL注入: 未防护（A03:2021）
✗ 失效的访问控制: 部分覆盖（A01:2021）
✓ 加密: 强制使用TLS 1.3
✓ 身份认证: JWT实现正确
⚠ 授权: 3个端点缺失检查

建议:
1. 立即修复2个严重问题（阻止部署）
2. 升级存在漏洞的依赖项
3. 实现CSRF防护
4. 为所有管理员端点添加授权检查
5. 审查并修复信息泄露问题
6. 容器安全加固

后续步骤:
1. 为所有高风险及以上问题创建修复工单
2. 安排依赖项更新
3. 修复后进行渗透测试
4. 2周后重新审计

Requirements Security Validation

安全需求验证

bash

security-audit requirements \
  --input reqs/security_requirements.md \
  --output reports/security/req-validation.json

Output:

json

{
  "summary": {
    "total_security_requirements": 45,
    "complete": 38,
    "incomplete": 7,
    "coverage_percentage": 84
  },
  "missing_requirements": [
    {
      "category": "Authentication",
      "requirement": "Multi-factor authentication",
      "severity": "high",
      "recommendation": "Add REQ-AUTH-MFA for critical operations"
    },
    {
      "category": "Encryption",
      "requirement": "Encryption key rotation policy",
      "severity": "medium",
      "recommendation": "Define key rotation schedule in REQ-ENC-*"
    }
  ],
  "incomplete_requirements": [
    {
      "id": "REQ-AUTH-01",
      "issue": "No password complexity specification",
      "current": "Password must be secure",
      "recommended": "Password: 8-128 chars, uppercase, lowercase, digit, special"
    }
  ]
}

bash

security-audit requirements \
  --input reqs/security_requirements.md \
  --output reports/security/req-validation.json

输出:

json

{
  "summary": {
    "total_security_requirements": 45,
    "complete": 38,
    "incomplete": 7,
    "coverage_percentage": 84
  },
  "missing_requirements": [
    {
      "category": "Authentication",
      "requirement": "Multi-factor authentication",
      "severity": "high",
      "recommendation": "Add REQ-AUTH-MFA for critical operations"
    },
    {
      "category": "Encryption",
      "requirement": "Encryption key rotation policy",
      "severity": "medium",
      "recommendation": "Define key rotation schedule in REQ-ENC-*"
    }
  ],
  "incomplete_requirements": [
    {
      "id": "REQ-AUTH-01",
      "issue": "No password complexity specification",
      "current": "Password must be secure",
      "recommended": "Password: 8-128 chars, uppercase, lowercase, digit, special"
    }
  ]
}

Dependency Vulnerability Scan

依赖项漏洞扫描

bash

security-audit dependencies \
  --requirements requirements.txt \
  --output reports/security/dependencies.json

Output:

json

{
  "total_packages": 87,
  "vulnerable_packages": 5,
  "vulnerabilities": [
    {
      "package": "requests",
      "installed_version": "2.25.0",
      "vulnerability": "CVE-2023-32681",
      "severity": "high",
      "cvss_score": 8.2,
      "description": "Proxy-Authorization header leak on cross-origin redirect",
      "fixed_in": "2.31.0",
      "recommended_action": "pip install --upgrade requests>=2.31.0"
    },
    {
      "package": "pillow",
      "installed_version": "9.0.0",
      "vulnerability": "CVE-2023-44271",
      "severity": "critical",
      "cvss_score": 9.8,
      "description": "Arbitrary code execution via crafted image",
      "fixed_in": "9.3.0",
      "recommended_action": "pip install --upgrade pillow>=9.3.0"
    }
  ],
  "license_issues": [
    {
      "package": "some-package",
      "license": "GPL-3.0",
      "issue": "Copyleft license may conflict with proprietary code",
      "recommendation": "Review license compatibility"
    }
  ]
}

bash

security-audit dependencies \
  --requirements requirements.txt \
  --output reports/security/dependencies.json

输出:

json

{
  "total_packages": 87,
  "vulnerable_packages": 5,
  "vulnerabilities": [
    {
      "package": "requests",
      "installed_version": "2.25.0",
      "vulnerability": "CVE-2023-32681",
      "severity": "high",
      "cvss_score": 8.2,
      "description": "Proxy-Authorization header leak on cross-origin redirect",
      "fixed_in": "2.31.0",
      "recommended_action": "pip install --upgrade requests>=2.31.0"
    },
    {
      "package": "pillow",
      "installed_version": "9.0.0",
      "vulnerability": "CVE-2023-44271",
      "severity": "critical",
      "cvss_score": 9.8,
      "description": "Arbitrary code execution via crafted image",
      "fixed_in": "9.3.0",
      "recommended_action": "pip install --upgrade pillow>=9.3.0"
    }
  ],
  "license_issues": [
    {
      "package": "some-package",
      "license": "GPL-3.0",
      "issue": "Copyleft license may conflict with proprietary code",
      "recommendation": "Review license compatibility"
    }
  ]
}

Secret Detection

敏感信息检测

bash

security-audit secrets --path . --output reports/security/secrets.json

Output:

json

{
  "secrets_found": 4,
  "files_scanned": 234,
  "secrets": [
    {
      "type": "AWS Access Key",
      "file": "scripts/deploy.sh",
      "line": 15,
      "matched_text": "AKIA...",
      "entropy": 4.5,
      "confidence": "high",
      "recommendation": "Move to AWS Secrets Manager or environment variable"
    },
    {
      "type": "Private Key",
      "file": "config/ssl/private.key",
      "line": 1,
      "matched_text": "-----BEGIN PRIVATE KEY-----",
      "confidence": "high",
      "recommendation": "Remove from Git, use secrets manager"
    },
    {
      "type": "Database Password",
      "file": "src/config.py",
      "line": 23,
      "matched_text": "password = 'SuperSecret123'",
      "confidence": "high",
      "recommendation": "Use environment variables or secrets manager"
    }
  ]
}

bash

security-audit secrets --path . --output reports/security/secrets.json

输出:

json

{
  "secrets_found": 4,
  "files_scanned": 234,
  "secrets": [
    {
      "type": "AWS Access Key",
      "file": "scripts/deploy.sh",
      "line": 15,
      "matched_text": "AKIA...",
      "entropy": 4.5,
      "confidence": "high",
      "recommendation": "Move to AWS Secrets Manager or environment variable"
    },
    {
      "type": "Private Key",
      "file": "config/ssl/private.key",
      "line": 1,
      "matched_text": "-----BEGIN PRIVATE KEY-----",
      "confidence": "high",
      "recommendation": "Remove from Git, use secrets manager"
    },
    {
      "type": "Database Password",
      "file": "src/config.py",
      "line": 23,
      "matched_text": "password = 'SuperSecret123'",
      "confidence": "high",
      "recommendation": "Use environment variables or secrets manager"
    }
  ]
}

Security Categories

安全分类

OWASP Top 10 (2021)

OWASP Top 10（2021版）

A01:2021 - Broken Access Control
- Check: Authorization on all sensitive endpoints
- Validate: User cannot access unauthorized resources
- Test: Privilege escalation attempts
A02:2021 - Cryptographic Failures
- Check: TLS 1.2+ for data in transit
- Validate: Encryption at rest for sensitive data
- Test: Weak cipher detection
A03:2021 - Injection
- Check: SQL injection prevention (parameterized queries)
- Validate: Input validation and sanitization
- Test: Command injection, XSS, LDAP injection
A04:2021 - Insecure Design
- Check: Threat modeling performed
- Validate: Security controls in design
- Test: Business logic vulnerabilities
A05:2021 - Security Misconfiguration
- Check: Default credentials changed
- Validate: Unnecessary features disabled
- Test: Information disclosure through errors
A06:2021 - Vulnerable Components
- Check: Dependencies up to date
- Validate: No known CVEs in dependencies
- Test: Transitive dependency vulnerabilities
A07:2021 - Authentication Failures
- Check: Strong password policy
- Validate: Session management secure
- Test: Brute force protection
A08:2021 - Software and Data Integrity
- Check: Code signing
- Validate: Integrity checks on updates
- Test: Supply chain attacks
A09:2021 - Security Logging Failures
- Check: Security events logged
- Validate: Logs tamper-proof
- Test: Log injection prevention
A10:2021 - Server-Side Request Forgery
- Check: URL validation
- Validate: Whitelist approach for external requests
- Test: SSRF attack attempts

A01:2021 - 失效的访问控制
- 检查: 所有敏感端点的授权配置
- 验证: 用户无法访问未授权资源
- 测试: 权限提升尝试
A02:2021 - 加密失败
- 检查: 传输数据使用TLS 1.2+协议
- 验证: 敏感数据的静态加密
- 测试: 弱密码套件检测
A03:2021 - 注入
- 检查: SQL注入防护（参数化查询）
- 验证: 输入验证与清理
- 测试: 命令注入、XSS、LDAP注入
A04:2021 - 不安全设计
- 检查: 是否执行威胁建模
- 验证: 设计中包含安全控制
- 测试: 业务逻辑漏洞
A05:2021 - 安全配置错误
- 检查: 默认凭据已修改
- 验证: 不必要的功能已禁用
- 测试: 错误信息导致的信息泄露
A06:2021 - 易受攻击的组件
- 检查: 依赖项是否为最新版本
- 验证: 依赖项中无已知CVE
- 测试: 传递依赖项漏洞
A07:2021 - 身份认证失败
- 检查: 强密码策略
- 验证: 会话管理安全
- 测试: 暴力破解防护
A08:2021 - 软件与数据完整性故障
- 检查: 代码签名
- 验证: 更新的完整性检查
- 测试: 供应链攻击
A09:2021 - 安全日志记录失败
- 检查: 安全事件已记录
- 验证: 日志防篡改
- 测试: 日志注入防护
A10:2021 - 服务器端请求伪造（SSRF）
- 检查: URL验证
- 验证: 外部请求使用白名单机制
- 测试: SSRF攻击尝试

Security Testing

安全测试

Authentication Testing

身份认证测试

python

undefined

python

undefined

Test: Weak password allowed

测试：弱密码是否被允许

def test_weak_password_rejected(): result = register_user(username="test", password="123") assert result.error == "Password too weak"

def test_weak_password_rejected(): result = register_user(username="test", password="123") assert result.error == "密码过于简单"

Test: JWT token validation

测试：JWT令牌验证

def test_invalid_jwt_rejected(): response = api_call(headers={"Authorization": "Bearer invalid_token"}) assert response.status_code == 401

Test: Session expiration

测试：会话过期

def test_session_expires(): token = login_user() time.sleep(3600) # Wait 1 hour response = api_call(headers={"Authorization": f"Bearer {token}"}) assert response.status_code == 401

undefined

def test_session_expires(): token = login_user() time.sleep(3600) # 等待1小时 response = api_call(headers={"Authorization": f"Bearer {token}"}) assert response.status_code == 401

undefined

Authorization Testing

授权测试

python

undefined

python

undefined

Test: User cannot access admin endpoint

测试：普通用户无法访问管理员端点

def test_user_cannot_access_admin(): user_token = login_as_user() response = api_call("/admin", headers={"Authorization": f"Bearer {user_token}"}) assert response.status_code == 403

Test: User cannot access other user's data

测试：用户无法访问其他用户的数据

def test_user_data_isolation(): user1_token = login_as_user("user1") response = api_call("/users/user2/profile", headers={"Authorization": f"Bearer {user1_token}"}) assert response.status_code == 403

undefined

def test_user_data_isolation(): user1_token = login_as_user("user1") response = api_call("/users/user2/profile", headers={"Authorization": f"Bearer {user1_token}"}) assert response.status_code == 403

undefined

Injection Testing

注入测试

python

undefined

python

undefined

Test: SQL injection prevented

测试：SQL注入被阻止

def test_sql_injection_prevented(): malicious_input = "admin' OR '1'='1" result = get_user(username=malicious_input) assert result is None # Should not return admin user

def test_sql_injection_prevented(): malicious_input = "admin' OR '1'='1" result = get_user(username=malicious_input) assert result is None # 不应返回管理员用户

Test: XSS prevented

测试：XSS被阻止

def test_xss_prevented(): malicious_script = "<script>alert('XSS')</script>" response = create_comment(text=malicious_script) assert "<script>" not in response.html assert "<script>" in response.html # Properly escaped

---

---

Threat Modeling (STRIDE)

威胁建模（STRIDE）

STRIDE Analysis Template

STRIDE分析模板

markdown

undefined

markdown

undefined

Threat Model: {Component Name}

威胁模型: {组件名称}

Spoofing

仿冒（Spoofing）

Threat: Attacker impersonates legitimate user
Mitigation: JWT with strong signing algorithm (RS256)
Status: ✓ Implemented

威胁: 攻击者冒充合法用户
缓解措施: 使用强签名算法（RS256）的JWT
状态: ✓ 已实现

Tampering

篡改（Tampering）

Threat: Request/response modification in transit
Mitigation: TLS 1.3 for all communications
Status: ✓ Implemented

威胁: 传输过程中请求/响应被修改
缓解措施: 所有通信使用TLS 1.3
状态: ✓ 已实现

Repudiation

抵赖（Repudiation）

Threat: User denies performing action
Mitigation: Audit logging of all state-changing operations
Status: ⚠ Partial (missing for some admin actions)

威胁: 用户否认执行过操作
缓解措施: 记录所有状态变更操作的审计日志
状态: ⚠ 部分实现（部分管理员操作缺失）

Information Disclosure

信息泄露（Information Disclosure）

Threat: Sensitive data exposed in logs/errors
Mitigation: Sanitize logs, generic error messages
Status: ❌ Not implemented

威胁: 敏感数据在日志/错误中暴露
缓解措施: 清理日志，使用通用错误信息
状态: ❌ 未实现

Denial of Service

拒绝服务（Denial of Service）

Threat: Resource exhaustion through API abuse
Mitigation: Rate limiting, input validation
Status: ✓ Implemented

威胁: API滥用导致资源耗尽
缓解措施: 速率限制、输入验证
状态: ✓ 已实现

Elevation of Privilege

权限提升（Elevation of Privilege）

Threat: User gains unauthorized permissions
Mitigation: RBAC, authorization checks on all endpoints
Status: ⚠ Partial (missing checks on 3 endpoints)

---

威胁: 用户获取未授权权限
缓解措施: RBAC、所有端点的授权检查
状态: ⚠ 部分实现（3个端点缺失检查）

---

Compliance Checklists

合规性检查表

GDPR Compliance

GDPR合规性

markdown

- [ ] Data minimization implemented
- [ ] User consent mechanism
- [ ] Right to access (data export)
- [ ] Right to erasure (data deletion)
- [ ] Right to portability
- [ ] Data breach notification process
- [ ] Privacy policy published
- [ ] Data protection impact assessment
- [ ] Encryption for personal data
- [ ] Data retention policies defined

markdown

- [ ] 已实现数据最小化
- [ ] 用户同意机制
- [ ] 数据访问权（数据导出）
- [ ] 数据删除权（擦除）
- [ ] 数据可携权
- [ ] 数据泄露通知流程
- [ ] 隐私政策已发布
- [ ] 数据保护影响评估
- [ ] 个人数据加密
- [ ] 数据保留策略已定义

OWASP ASVS (Level 2)

OWASP ASVS（Level 2）

markdown

Authentication:
- [x] V2.1.1: Password length 8-128 characters
- [x] V2.1.2: Password complexity requirements
- [x] V2.1.3: No password reuse (last 3)
- [ ] V2.1.11: MFA for sensitive operations

Session Management:
- [x] V3.2.1: Session tokens use secure random generator
- [x] V3.2.2: Session token entropy ≥64 bits
- [x] V3.3.1: Session timeout after inactivity
- [ ] V3.3.4: Session invalidation on logout

Access Control:
- [x] V4.1.1: Authorization checked on all endpoints
- [ ] V4.1.5: Access control failures logged
- [x] V4.2.1: Deny by default

markdown

身份认证:
- [x] V2.1.1: 密码长度8-128字符
- [x] V2.1.2: 密码复杂度要求
- [x] V2.1.3: 禁止重复使用最近3次密码
- [ ] V2.1.11: 敏感操作使用多因素认证（MFA）

会话管理:
- [x] V3.2.1: 会话令牌使用安全随机生成器
- [x] V3.2.2: 会话令牌熵≥64位
- [x] V3.3.1: 闲置后会话超时
- [ ] V3.3.4: 登出时会话失效

访问控制:
- [x] V4.1.1: 所有端点已检查授权
- [ ] V4.1.5: 访问控制失败已记录
- [x] V4.2.1: 默认拒绝访问

Security Metrics

安全指标

Vulnerability Metrics

漏洞指标

Vulnerability Density = Total Vulnerabilities / KLOC
Target: <5 vulnerabilities per 1000 lines of code

Critical Vulnerability Count
Target: 0

Mean Time to Remediate (MTTR)
- Critical: <24 hours
- High: <7 days
- Medium: <30 days
- Low: <90 days

漏洞密度 = 总漏洞数 / KLOC（千行代码）
目标: <5个漏洞/千行代码

严重漏洞数量
目标: 0

平均修复时间（MTTR）
- 严重: <24小时
- 高风险: <7天
- 中风险: <30天
- 低风险: <90天

Security Coverage

安全覆盖率

Security Test Coverage = (Security Tests / Total Tests) × 100%
Target: ≥20%

Security Requirement Coverage = (Implemented / Total) × 100%
Target: 100% for MUST requirements

Dependency Vulnerability Coverage = (Scanned Deps / Total Deps) × 100%
Target: 100%

安全测试覆盖率 = (安全测试用例数 / 总测试用例数) × 100%
目标: ≥20%

安全需求覆盖率 = (已实现需求数 / 总需求数) × 100%
目标: 必须满足的需求覆盖率100%

依赖项漏洞覆盖率 = (已扫描依赖项数 / 总依赖项数) × 100%
目标: 100%

Tool Access

工具权限

Required tools:

```
Read
```
: Read code, configurations, requirements
```
Bash
```
: Execute security scanning tools
```
Grep
```
: Search for security patterns
```
Glob
```
: Find files to scan

Required software:

bandit: Python SAST
safety: Dependency scanning
semgrep: Semantic code analysis
trivy: Container scanning
checkov: IaC scanning
gitleaks: Secret detection

所需工具权限:

```
Read
```
: 读取代码、配置、需求文档
```
Bash
```
: 执行安全扫描工具
```
Grep
```
: 搜索安全模式
```
Glob
```
: 查找待扫描文件

所需软件:

bandit: Python静态应用安全测试工具
safety: 依赖项扫描工具
semgrep: 语义代码分析工具
trivy: 容器扫描工具
checkov: 基础设施即代码安全扫描工具
gitleaks: 敏感信息检测工具

Integration Points

集成点

With doc-flow

与文档流集成

Validate security requirements in REQ documents
Check security traceability (REQ → Implementation)
Generate security documentation

验证REQ文档中的安全需求
检查安全可追溯性（需求 → 实现）
生成安全文档

With code-review

与代码审查集成

Share vulnerability findings
Coordinate security fixes
Track security metrics

共享漏洞发现结果
协调安全修复
跟踪安全指标

With test-automation

与测试自动化集成

Generate security test cases
Validate security controls
Track security test coverage

生成安全测试用例
验证安全控制
跟踪安全测试覆盖率

With devops-flow

与DevOps流集成

Security scanning in CI/CD
Block deployments with critical issues
Infrastructure security validation

CI/CD中的安全扫描
存在严重问题时阻止部署
基础设施安全验证

Best Practices

最佳实践

Shift left: Security testing early in development
Defense in depth: Multiple security layers
Least privilege: Minimal access by default
Fail securely: Secure defaults on errors
Keep it simple: Complexity is enemy of security
Assume breach: Plan for compromise
Zero trust: Verify everything
Security by design: Not an afterthought
Regular audits: Continuous security assessment
Incident response: Plan and test response procedures

左移: 在开发早期进行安全测试
纵深防御: 多层安全防护
最小权限: 默认授予最小访问权限
安全失效: 错误时使用安全默认值
保持简单: 复杂度是安全的敌人
假设已被攻破: 为妥协场景做计划
零信任: 验证所有请求
安全设计: 安全不是事后补充
定期审计: 持续安全评估
事件响应: 制定并测试响应流程

Limitations

局限性

Cannot detect all vulnerability types (e.g., business logic flaws)
May produce false positives (requires manual review)
Depends on tool database currency
Cannot test runtime behavior fully
Limited threat modeling automation

无法检测所有类型的漏洞（如业务逻辑缺陷）
可能产生误报（需要人工审查）
依赖工具数据库的时效性
无法全面测试运行时行为
威胁建模自动化程度有限

Success Criteria

成功标准

Zero critical vulnerabilities in production
<5 high severity vulnerabilities
100% security requirement coverage
All dependencies with no known CVEs
No secrets in code repository
Security score ≥80/100
OWASP Top 10 coverage: 10/10

生产环境中无严重漏洞
高风险漏洞数量<5个
安全需求覆盖率100%
所有依赖项无已知CVE
代码仓库中无敏感信息
安全评分≥80/100
OWASP Top 10覆盖10/10项

Notes

注意事项

Security audits run automatically in CI/CD
Critical vulnerabilities block deployment
Vulnerability reports saved to
```
reports/security/
```
Monthly comprehensive security review recommended
Penetration testing recommended quarterly
Security guidelines documentation for development team required

安全审计在CI/CD中自动运行
严重漏洞会阻止部署
漏洞报告保存至
```
reports/security/
```
建议每月进行全面安全审查
建议每季度进行渗透测试
需为开发团队提供安全指南文档

Version History

版本历史

Version	Date	Changes
1.0	2026-02-08	Initial skill creation with YAML frontmatter standardization

版本	日期	变更
1.0	2026-02-08	初始技能创建，标准化YAML前置内容