<# .SYNOPSIS 安全审计脚本 - 风七六本地生活服务平台 遵循阿里开发手册安全规范 .DESCRIPTION 执行代码库安全审计,检查硬编码密码、配置安全等问题 .EXAMPLE .\security_audit.ps1 #> $ErrorActionPreference = "Stop" # 颜色输出 $RED = "Red" $GREEN = "Green" $YELLOW = "Yellow" $BLUE = "Cyan" # 审计结果 $auditResults = @() $totalChecks = 0 $passedChecks = 0 $failedChecks = 0 # 日志函数 function Write-Info($message) { Write-Host "[INFO] $message" -ForegroundColor $BLUE } function Write-Success($message) { Write-Host "[SUCCESS] $message" -ForegroundColor $GREEN $script:passedChecks++ } function Write-Failure($message) { Write-Host "[FAILURE] $message" -ForegroundColor $RED $script:failedChecks++ $script:auditResults += "❌ $message" } function Write-Warn($message) { Write-Host "[WARN] $message" -ForegroundColor $YELLOW } # 检查1: 代码中是否有硬编码密码 function Check-HardcodedPasswords { Write-Info "检查代码中是否有硬编码密码..." $script:totalChecks++ $found = $false $patterns = @( 'password\s*=\s*["''].*["'']' 'PASSWORD\s*=\s*["''].*["'']' 'secret\s*=\s*["''].*["'']' 'SECRET\s*=\s*["''].*["'']' ) $extensions = @("*.java", "*.ts", "*.py", "*.sh", "*.ps1", "*.yml", "*.yaml", "*.json") $excludeDirs = @("node_modules", "target", ".git", ".next", ".nuxt") foreach ($pattern in $patterns) { $matches = Get-ChildItem -Path . -Recurse -Include $extensions -Exclude $excludeDirs 2>&1 | ` Where-Object { $_.FullName -notmatch 'node_modules|target|\.git|\.next|\.nuxt' } | ` Select-String -Pattern $pattern | ` Select-Object -First 20 if ($matches) { $found = $true Write-Failure "发现可能存在硬编码密码:" $matches | ForEach-Object { Write-Host " - $($_.Path):$($_.LineNumber): $($_.Line.Trim())" } break } } if (-not $found) { Write-Success "未发现硬编码密码" } } # 检查2: .gitignore是否包含.env文件 function Check-GitignoreEnv { Write-Info "检查.gitignore是否包含.env文件..." $script:totalChecks++ $gitignore = ".gitignore" if (-not (Test-Path $gitignore)) { Write-Failure ".gitignore文件不存在" return } $content = Get-Content $gitignore -Raw if ($content -notmatch '^\.env$' -and $content -notmatch '^\.env\.') { Write-Failure ".gitignore中未配置.env文件排除规则" return } if ($content -notmatch '^\.env\.\*$') { Write-Warn ".gitignore中未配置.env.*通配规则,建议添加" } Write-Success ".gitignore配置检查通过" } # 检查3: 环境变量文件是否存在敏感信息 function Check-EnvFiles { Write-Info "检查环境变量文件是否存在敏感信息..." $script:totalChecks++ $found = $false Get-ChildItem -Path . -Recurse -Include ".env*" -Exclude ".env.example" 2>&1 | ` Where-Object { $_ -is [System.IO.FileInfo] } | ` ForEach-Object { $envFile = $_.FullName $content = Get-Content $envFile -Raw if ($content -match '(PASSWORD|SECRET|TOKEN|KEY)=[^$}{]+$') { $found = $true Write-Warn "环境变量文件 $envFile 包含敏感配置(生产环境建议使用密钥管理服务)" } } if (-not $found) { Write-Success "环境变量文件检查通过" } else { $script:passedChecks++ } } # 检查4: Jenkinsfile安全检查 function Check-JenkinsfileSecurity { Write-Info "检查Jenkinsfile安全配置..." $script:totalChecks++ $jenkinsfile = "infrastructure/jenkins/Jenkinsfile" if (-not (Test-Path $jenkinsfile)) { Write-Warn "Jenkinsfile不存在" $script:passedChecks++ return } $content = Get-Content $jenkinsfile -Raw $issues = $false # 检查是否使用withCredentials if ($content -notmatch 'withCredentials') { Write-Failure "Jenkinsfile未使用withCredentials安全注入凭证" $issues = $true } # 检查是否使用--password-stdin if ($content -match 'podman login' -and $content -notmatch '--password-stdin') { Write-Warn "podman login建议使用--password-stdin方式传递密码" } if (-not $issues) { Write-Success "Jenkinsfile安全检查通过" } } # 检查5: 前端配置安全检查 function Check-FrontendConfig { Write-Info "检查前端配置安全..." $script:totalChecks++ $issues = $false Get-ChildItem -Path "frontend" -Recurse -Include "*.ts", "*.js" 2>&1 | ` Where-Object { $_ -is [System.IO.FileInfo] } | ` ForEach-Object { $content = Get-Content $_.FullName -Raw if ($content -match 'AMAP_KEY|amap.*key|map.*key' -and ` $content -notmatch 'import\.meta\.env' -and ` $content -notmatch 'process\.env' -and ` $content -notmatch 'VITE_') { Write-Warn "前端文件 $($_.FullName) 可能包含硬编码的API密钥" $issues = $true } } if (-not $issues) { Write-Success "前端配置安全检查通过" } else { $script:passedChecks++ } } # 检查6: 脚本文件安全检查 function Check-ScriptSecurity { Write-Info "检查脚本文件安全..." $script:totalChecks++ $issues = $false Get-ChildItem -Path @("scripts", "infrastructure/scripts") -Recurse -Include "*.sh", "*.py" 2>&1 | ` Where-Object { $_ -is [System.IO.FileInfo] } | ` ForEach-Object { $content = Get-Content $_.FullName -Raw if ($content -match 'os\.environ|\$\{.*PASSWORD.*\}' -or $content -match '\$PASSWORD|export.*PASSWORD') { Write-Info "脚本文件 $($_.FullName) 使用环境变量配置" } else { if ($content -match 'password\s*=\s*["''][^"'']{8,}["'']') { Write-Failure "脚本文件 $($_.FullName) 可能包含硬编码密码" $issues = $true } } } if (-not $issues) { Write-Success "脚本文件安全检查通过" } } # 主函数 function Main { Write-Host "==========================================" Write-Host " 风七六本地生活服务平台 - 安全审计" Write-Host "==========================================" Write-Host "" # 执行检查 Check-HardcodedPasswords Check-GitignoreEnv Check-EnvFiles Check-JenkinsfileSecurity Check-FrontendConfig Check-ScriptSecurity # 输出报告 Write-Host "" Write-Host "==========================================" Write-Host " 审计报告" Write-Host "==========================================" Write-Host "检查总数: $totalChecks" Write-Host "通过: " -NoNewline Write-Host "$passedChecks" -ForegroundColor $GREEN Write-Host "失败: " -NoNewline Write-Host "$failedChecks" -ForegroundColor $RED if ($auditResults.Count -gt 0) { Write-Host "" Write-Host "问题列表:" $auditResults | ForEach-Object { Write-Host " $_" } } Write-Host "" if ($failedChecks -eq 0) { Write-Host "✅ 所有检查通过!" -ForegroundColor $GREEN Write-Host "建议:定期执行安全审计,保持代码安全性" } else { Write-Host "⚠️ 发现 $failedChecks 个安全问题,请及时修复" -ForegroundColor $RED } # 生成报告文件 $reportFile = "security_audit_report_$(Get-Date -Format 'yyyyMMdd_HHmmss').md" Generate-Report $reportFile Write-Host "" Write-Host "报告已保存至: $reportFile" -ForegroundColor $BLUE } # 生成报告文件 function Generate-Report($reportFile) { $reportContent = @" # 安全审计报告 ## 基本信息 - 审计时间: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - 审计范围: 当前项目目录 - 检查总数: $totalChecks - 通过: $passedChecks - 失败: $failedChecks ## 问题详情 "@ if ($auditResults.Count -gt 0) { $auditResults | ForEach-Object { $reportContent += "- $_`n" } } else { $reportContent += "✅ 未发现安全问题`n" } $reportContent += @" ## 审计结果 - **状态**: $(if ($failedChecks -eq 0) { "✅ 通过" } else { "❌ 存在问题" }) - **建议**: $(if ($failedChecks -eq 0) { "继续保持良好的安全实践" } else { "请根据问题列表逐一修复" }) ## 后续建议 1. 定期执行安全审计(建议每周一次) 2. 在CI/CD流程中集成安全扫描 3. 定期轮换密钥和密码 4. 使用密钥管理服务管理敏感配置 "@ $reportContent | Out-File -FilePath $reportFile -Encoding UTF8 } # 执行主函数 Main