<# Security Audit Script for FengZhongXing Platform #> $ErrorActionPreference = "Stop" $RED = "Red" $GREEN = "Green" $YELLOW = "Yellow" $BLUE = "Cyan" $auditResults = @() $totalChecks = 0 $passedChecks = 0 $failedChecks = 0 function Write-Info($msg) { Write-Host "[INFO] $msg" -ForegroundColor $BLUE } function Write-Success($msg) { Write-Host "[SUCCESS] $msg" -ForegroundColor $GREEN; $script:passedChecks++ } function Write-Failure($msg) { Write-Host "[FAILURE] $msg" -ForegroundColor $RED; $script:failedChecks++; $script:auditResults += "FAIL: $msg" } function Write-Warn($msg) { Write-Host "[WARN] $msg" -ForegroundColor $YELLOW } # Check 1: Hardcoded passwords in code function Check-HardcodedPasswords { Write-Info "Checking for hardcoded passwords..." $script:totalChecks++ $patterns = @('password\s*=\s*["''][^"'']{8,}["'']', 'PASSWORD\s*=\s*["''][^"'']{8,}["'']') $files = Get-ChildItem -Path . -Recurse -Include "*.java","*.ts","*.py","*.sh","*.ps1" -Exclude "node_modules","target",".git" 2>&1 | Where-Object { $_ -is [System.IO.FileInfo] } foreach ($pattern in $patterns) { $matches = $files | Select-String -Pattern $pattern | Select-Object -First 10 if ($matches) { Write-Failure "Found potential hardcoded passwords" $matches | ForEach-Object { Write-Host " - $($_.Path):$($_.LineNumber)" } return } } Write-Success "No hardcoded passwords found" } # Check 2: .gitignore configuration function Check-Gitignore { Write-Info "Checking .gitignore configuration..." $script:totalChecks++ if (-not (Test-Path ".gitignore")) { Write-Failure ".gitignore not found" return } $content = Get-Content ".gitignore" -Raw if ($content -notmatch '^\.env$') { Write-Failure ".env not excluded in .gitignore" return } Write-Success ".gitignore check passed" } # Check 3: Environment files function Check-EnvFiles { Write-Info "Checking environment files..." $script:totalChecks++ $envFiles = Get-ChildItem -Path . -Recurse -Include ".env*" -Exclude ".env.example" 2>&1 | Where-Object { $_ -is [System.IO.FileInfo] } if ($envFiles) { Write-Warn "Found environment files (should use secrets management in production)" $script:passedChecks++ return } Write-Success "No sensitive env files found" } # Check 4: Jenkinsfile security function Check-Jenkinsfile { Write-Info "Checking Jenkinsfile security..." $script:totalChecks++ $jenkinsfile = "infrastructure/jenkins/Jenkinsfile" if (-not (Test-Path $jenkinsfile)) { Write-Warn "Jenkinsfile not found" $script:passedChecks++ return } $content = Get-Content $jenkinsfile -Raw if ($content -notmatch 'withCredentials') { Write-Failure "Jenkinsfile does not use withCredentials" return } Write-Success "Jenkinsfile security check passed" } # Check 5: Frontend security function Check-Frontend { Write-Info "Checking frontend security..." $script:totalChecks++ $files = Get-ChildItem -Path "frontend" -Recurse -Include "*.ts" 2>&1 | Where-Object { $_ -is [System.IO.FileInfo] } $issues = $false foreach ($file in $files) { $content = Get-Content $file.FullName -Raw if ($content -match 'AMAP_KEY|map.*key' -and $content -notmatch 'VITE_|import\.meta\.env') { Write-Warn "Potential hardcoded API key in $($file.Name)" $issues = $true } } if (-not $issues) { Write-Success "Frontend security check passed" } else { $script:passedChecks++ } } # Generate report function Generate-Report { $reportFile = "security_audit_report_$(Get-Date -Format 'yyyyMMdd_HHmmss').md" $report = @" # Security Audit Report ## Basic Info - Time: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Total Checks: $totalChecks - Passed: $passedChecks - Failed: $failedChecks ## Issues "@ if ($auditResults.Count -gt 0) { $auditResults | ForEach-Object { $report += "- $_`n" } } else { $report += "No issues found`n" } $report += @" ## Result $(if ($failedChecks -eq 0) { "PASS - All checks passed" } else { "FAIL - $failedChecks issues found" }) ## Recommendations 1. Run security audit regularly 2. Integrate security scanning in CI/CD 3. Rotate secrets periodically 4. Use secret management service "@ $report | Out-File -FilePath $reportFile -Encoding UTF8 return $reportFile } # Main Write-Host "==========================================" Write-Host "FengZhongXing Platform Security Audit" Write-Host "==========================================" Write-Host "" Check-HardcodedPasswords Check-Gitignore Check-EnvFiles Check-Jenkinsfile Check-Frontend Write-Host "" Write-Host "==========================================" Write-Host " Audit Report" Write-Host "==========================================" Write-Host "Total: $totalChecks | Passed: $passedChecks | Failed: $failedChecks" if ($auditResults.Count -gt 0) { Write-Host "" Write-Host "Issues:" $auditResults | ForEach-Object { Write-Host " $_" } } Write-Host "" if ($failedChecks -eq 0) { Write-Host "All checks passed!" -ForegroundColor $GREEN } else { Write-Host "$failedChecks issues found!" -ForegroundColor $RED } $reportFile = Generate-Report Write-Host "Report saved to: $reportFile"