142 lines
3.2 KiB
Bash
Executable File
142 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# 安全扫描脚本
|
|
# 扫描代码中的安全问题和敏感信息
|
|
|
|
set -euo pipefail
|
|
|
|
# 颜色定义
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# 计数器
|
|
TOTAL_ISSUES=0
|
|
HIGH_ISSUES=0
|
|
MEDIUM_ISSUES=0
|
|
LOW_ISSUES=0
|
|
|
|
# 日志函数
|
|
log_info() {
|
|
echo -e "${BLUE}[INFO]${NC} $1"
|
|
}
|
|
|
|
log_success() {
|
|
echo -e "${GREEN}[SUCCESS]${NC} $1"
|
|
}
|
|
|
|
log_warning() {
|
|
echo -e "${YELLOW}[WARNING]${NC} $1"
|
|
}
|
|
|
|
log_error() {
|
|
echo -e "${RED}[ERROR]${NC} $1"
|
|
}
|
|
|
|
# 检查敏感信息泄露
|
|
check_secrets() {
|
|
log_info "检查敏感信息泄露..."
|
|
|
|
local patterns=(
|
|
"password\s*=\s*['\"][^'\"]*['\"]"
|
|
"token\s*=\s*['\"][^'\"]*['\"]"
|
|
"api_key\s*=\s*['\"][^'\"]*['\"]"
|
|
"secret\s*=\s*['\"][^'\"]*['\"]"
|
|
"private_key"
|
|
"-----BEGIN.*PRIVATE KEY-----"
|
|
)
|
|
|
|
local found_secrets=0
|
|
|
|
for pattern in "${patterns[@]}"; do
|
|
local matches
|
|
matches=$(grep -r -i -E "$pattern" . --exclude-dir=.git --exclude-dir=backups 2>/dev/null || true)
|
|
|
|
if [ -n "$matches" ]; then
|
|
log_error "发现可能的敏感信息:"
|
|
echo "$matches"
|
|
((found_secrets++))
|
|
((HIGH_ISSUES++))
|
|
fi
|
|
done
|
|
|
|
if [ "$found_secrets" -eq 0 ]; then
|
|
log_success "未发现明显的敏感信息泄露"
|
|
else
|
|
log_error "发现 $found_secrets 种类型的敏感信息,请检查并移除"
|
|
fi
|
|
|
|
((TOTAL_ISSUES += found_secrets))
|
|
}
|
|
|
|
# 检查不安全的命令使用
|
|
check_unsafe_commands() {
|
|
log_info "检查不安全的命令使用..."
|
|
|
|
local unsafe_patterns=(
|
|
"rm\s+-rf\s+/"
|
|
"chmod\s+777"
|
|
"curl.*-k"
|
|
"wget.*--no-check-certificate"
|
|
)
|
|
|
|
local unsafe_found=0
|
|
|
|
for pattern in "${unsafe_patterns[@]}"; do
|
|
local matches
|
|
matches=$(grep -r -E "$pattern" scripts/ 2>/dev/null || true)
|
|
|
|
if [ -n "$matches" ]; then
|
|
log_warning "发现可能不安全的命令使用:"
|
|
echo "$matches"
|
|
((unsafe_found++))
|
|
((MEDIUM_ISSUES++))
|
|
fi
|
|
done
|
|
|
|
if [ "$unsafe_found" -eq 0 ]; then
|
|
log_success "未发现明显不安全的命令使用"
|
|
else
|
|
log_warning "发现 $unsafe_found 个可能不安全的命令,请检查"
|
|
fi
|
|
|
|
((TOTAL_ISSUES += unsafe_found))
|
|
}
|
|
|
|
# 生成报告
|
|
generate_report() {
|
|
log_info "生成安全扫描报告..."
|
|
|
|
echo
|
|
echo "=================================="
|
|
echo " 安全扫描报告"
|
|
echo "=================================="
|
|
echo "总问题数: $TOTAL_ISSUES"
|
|
echo "高危: $HIGH_ISSUES"
|
|
echo "中危: $MEDIUM_ISSUES"
|
|
echo "低危: $LOW_ISSUES"
|
|
echo "=================================="
|
|
|
|
if [ "$TOTAL_ISSUES" -eq 0 ]; then
|
|
log_success "安全扫描通过,未发现问题!"
|
|
return 0
|
|
else
|
|
log_warning "发现 $TOTAL_ISSUES 个安全问题,请检查并修复"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# 主函数
|
|
main() {
|
|
log_info "开始安全扫描..."
|
|
|
|
check_secrets
|
|
check_unsafe_commands
|
|
|
|
generate_report
|
|
}
|
|
|
|
# 执行主函数
|
|
main "$@" |