@umacloud/knowledge 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/00-governance/governance-capabilities.md +557 -0
- package/00-governance/knowledge-map.md +39 -0
- package/00-governance/maintenance-policy.md +76 -0
- package/00-governance/review-checklist.md +81 -0
- package/README.md +13 -0
- package/ai/01-standards/agent-development-complete.md +691 -0
- package/ai/01-standards/llm-application-complete.md +488 -0
- package/ai/01-standards/mlops-complete.md +798 -0
- package/ai/01-standards/prompt-engineering-complete.md +646 -0
- package/ai/01-standards/rag-architecture-complete.md +649 -0
- package/ai/02-playbooks/llm-evaluation-playbook.md +847 -0
- package/ai/03-checklists/ai-project-checklist.md +215 -0
- package/ai/04-antipatterns/ai-antipatterns.md +661 -0
- package/ai/05-cases/case-rag-production.md +147 -0
- package/ai/06-glossary/ai-glossary.md +162 -0
- package/ai/agent-evaluation-benchmark.md +53 -0
- package/ai/ai-agent-memory-context-management.md +41 -0
- package/ai/ai-cost-capacity-optimization-playbook.md +42 -0
- package/ai/ai-data-security-and-compliance-playbook.md +37 -0
- package/ai/ai-domain-index-and-checklist.md +40 -0
- package/ai/ai-governance-maturity-model.md +50 -0
- package/ai/ai-model-selection-and-routing-strategy.md +47 -0
- package/ai/ai-observability-and-oncall-runbook.md +52 -0
- package/ai/ai-rag-engineering-playbook.md +42 -0
- package/ai/ai-red-team-and-safety-evaluation.md +42 -0
- package/ai/ai-release-readiness-and-rollback-gate.md +42 -0
- package/ai/llm-agent-engineering-deep-dive.md +57 -0
- package/ai/prompt-and-tool-guardrails.md +52 -0
- package/api/01-standards/enterprise-api-standards.md +198 -0
- package/api/01-standards/rest-api-design-guide.md +63 -0
- package/api/02-playbooks/api-pagination-playbook.md +93 -0
- package/api/02-playbooks/graphql-production-playbook.md +176 -0
- package/api/03-checklists/api-review-checklist.md +55 -0
- package/api/04-antipatterns/api-antipatterns.md +112 -0
- package/architecture/01-standards/api-gateway-patterns.md +496 -0
- package/architecture/01-standards/cloud-native-patterns.md +644 -0
- package/architecture/01-standards/distributed-systems-patterns.md +591 -0
- package/architecture/01-standards/event-driven-architecture.md +595 -0
- package/architecture/01-standards/microservices-patterns-complete.md +968 -0
- package/architecture/01-standards/microservices-patterns.md +495 -0
- package/architecture/01-standards/system-design-interview.md +664 -0
- package/architecture/02-playbooks/microservices-patterns-playbook.md +137 -0
- package/architecture/02-playbooks/migration-playbook.md +780 -0
- package/architecture/02-playbooks/system-design-playbook.md +779 -0
- package/architecture/03-checklists/architecture-decision-checklist.md +297 -0
- package/architecture/04-antipatterns/architecture-antipatterns.md +417 -0
- package/architecture/05-cases/case-netflix-microservices.md +413 -0
- package/architecture/06-glossary/architecture-glossary.md +164 -0
- package/architecture/adr-template-and-examples.md +38 -0
- package/architecture/api-gateway-deep-dive.md +1291 -0
- package/architecture/configuration-management.md +1162 -0
- package/architecture/distributed-transactions.md +1220 -0
- package/architecture/microservices-complete.md +735 -0
- package/architecture/resilience-and-disaster-patterns.md +37 -0
- package/architecture/service-governance.md +1198 -0
- package/architecture/system-architecture-deep-dive.md +37 -0
- package/backend/01-standards/analytics-and-growth.md +65 -0
- package/backend/01-standards/api-and-error-conventions.md +120 -0
- package/backend/01-standards/application-layering-and-packaging.md +160 -0
- package/backend/01-standards/auth-implementation.md +104 -0
- package/backend/01-standards/backend-framework-idioms.md +74 -0
- package/backend/01-standards/background-jobs-and-async.md +66 -0
- package/backend/01-standards/caching-strategies-complete.md +390 -0
- package/backend/01-standards/config-and-observability.md +77 -0
- package/backend/01-standards/data-modeling-and-persistence.md +94 -0
- package/backend/01-standards/django-complete.md +1765 -0
- package/backend/01-standards/email-and-notifications.md +64 -0
- package/backend/01-standards/fastapi-complete.md +925 -0
- package/backend/01-standards/file-upload-and-storage.md +66 -0
- package/backend/01-standards/graphql-api-complete.md +416 -0
- package/backend/01-standards/llm-application-standard.md +78 -0
- package/backend/01-standards/message-queue-patterns.md +379 -0
- package/backend/01-standards/microservices-and-distributed.md +78 -0
- package/backend/01-standards/nestjs-complete.md +2167 -0
- package/backend/01-standards/payment-integration.md +80 -0
- package/backend/01-standards/rate-limiting-complete.md +451 -0
- package/backend/01-standards/realtime-and-websocket.md +65 -0
- package/backend/01-standards/search-and-filtering.md +64 -0
- package/backend/01-standards/spring-boot-complete.md +445 -0
- package/backend/02-playbooks/api-design-playbook.md +718 -0
- package/backend/02-playbooks/email-send-playbook.md +130 -0
- package/backend/02-playbooks/file-upload-s3-playbook.md +153 -0
- package/backend/02-playbooks/typescript-enterprise-playbook.md +133 -0
- package/backend/02-playbooks/websocket-realtime-playbook.md +154 -0
- package/backend/03-checklists/api-launch-checklist.md +189 -0
- package/backend/04-antipatterns/backend-antipatterns.md +1051 -0
- package/blockchain/01-standards/blockchain-basics.md +557 -0
- package/blockchain/01-standards/smart-contract-development.md +1315 -0
- package/cicd/01-standards/deployment-and-delivery-standard.md +96 -0
- package/cicd/01-standards/github-actions-complete.md +473 -0
- package/cicd/01-standards/release-and-store-submission.md +75 -0
- package/cicd/02-playbooks/cicd-pipeline-playbook.md +144 -0
- package/cicd/02-playbooks/release-management-playbook.md +605 -0
- package/cicd/03-checklists/pipeline-security-checklist.md +168 -0
- package/cicd/04-antipatterns/cicd-antipatterns.md +589 -0
- package/cicd/05-cases/case-deployment-automation.md +221 -0
- package/cicd/05-cases/case-gitops-transformation.md +212 -0
- package/cicd/06-glossary/cicd-glossary.md +114 -0
- package/cicd/cicd-blueprint-deep-dive.md +38 -0
- package/cicd/release-readiness-gate.md +37 -0
- package/cloud-native/01-standards/container-security.md +741 -0
- package/cloud-native/01-standards/kubernetes-complete.md +812 -0
- package/cloud-native/02-playbooks/api-gateway-playbook.md +155 -0
- package/cloud-native/02-playbooks/gitops-with-argocd.md +760 -0
- package/cloud-native/02-playbooks/k8s-troubleshooting-playbook.md +1942 -0
- package/cloud-native/02-playbooks/message-queue-playbook.md +129 -0
- package/cloud-native/02-playbooks/multicloud-governance.md +726 -0
- package/cloud-native/02-playbooks/serverless-patterns.md +788 -0
- package/cloud-native/02-playbooks/service-mesh-playbook.md +612 -0
- package/cloud-native/02-playbooks/terraform-iac-playbook.md +143 -0
- package/cloud-native/03-checklists/container-security-checklist.md +431 -0
- package/cloud-native/03-checklists/k8s-production-readiness-checklist.md +460 -0
- package/cloud-native/04-antipatterns/container-antipatterns.md +660 -0
- package/cloud-native/04-antipatterns/k8s-antipatterns.md +743 -0
- package/cloud-native/05-cases/case-k8s-migration.md +478 -0
- package/cloud-native/05-cases/case-k8s-scaling.md +642 -0
- package/cloud-native/05-cases/case-k8s-security-incident.md +397 -0
- package/cloud-native/06-glossary/cloud-native-glossary.md +337 -0
- package/cross-platform/01-standards/cross-platform-frameworks.md +83 -0
- package/cross-platform/01-standards/platform-selection-and-architecture.md +77 -0
- package/data/01-standards/elasticsearch-complete.md +2098 -0
- package/data/01-standards/postgresql-complete.md +1613 -0
- package/data/01-standards/redis-complete.md +1527 -0
- package/data/02-playbooks/database-optimization-playbook.md +403 -0
- package/data/02-playbooks/elasticsearch-production-playbook.md +132 -0
- package/data/03-checklists/database-launch-checklist.md +187 -0
- package/data/04-antipatterns/database-antipatterns.md +873 -0
- package/data/05-cases/case-database-migration.md +310 -0
- package/data/06-glossary/database-glossary.md +440 -0
- package/data/data-governance-and-modeling-deep-dive.md +39 -0
- package/data-engineering/01-standards/airflow-complete.md +523 -0
- package/data-engineering/01-standards/kafka-complete.md +1521 -0
- package/data-engineering/02-playbooks/spark-etl-playbook.md +496 -0
- package/data-engineering/03-checklists/pipeline-launch-checklist.md +194 -0
- package/data-engineering/04-antipatterns/data-pipeline-antipatterns.md +684 -0
- package/data-engineering/05-cases/case-real-time-pipeline.md +355 -0
- package/data-engineering/06-glossary/data-engineering-glossary.md +429 -0
- package/database/01-standards/database-schema-standards.md +147 -0
- package/database/02-playbooks/postgresql-optimization-quick.md +52 -0
- package/database/02-playbooks/postgresql-performance-optimization.md +58 -0
- package/database/02-playbooks/postgresql-production-playbook.md +146 -0
- package/database/02-playbooks/redis-caching-playbook.md +117 -0
- package/database/03-checklists/database-review-checklist.md +50 -0
- package/database/04-antipatterns/database-antipatterns.md +112 -0
- package/design/01-standards/ui-design-system-complete.md +423 -0
- package/design/02-playbooks/design-handoff-playbook.md +254 -0
- package/design/02-playbooks/design-review-playbook.md +388 -0
- package/design/03-checklists/design-review-checklist.md +246 -0
- package/design/04-antipatterns/design-antipatterns.md +378 -0
- package/design/05-cases/case-design-system-adoption.md +328 -0
- package/design/06-glossary/design-glossary.md +329 -0
- package/design/ui-full-lifecycle-cross-platform-playbook.md +571 -0
- package/design/ux-system-deep-dive.md +38 -0
- package/design-systems/00-craft-rules.md +71 -0
- package/design-systems/aesthetic-families.md +43 -0
- package/design-systems/anti-ai-slop.md +162 -0
- package/design-systems/bold-geometric.md +120 -0
- package/design-systems/brutalist-bold.md +103 -0
- package/design-systems/editorial-clean.md +109 -0
- package/design-systems/glass-aurora.md +108 -0
- package/design-systems/modern-minimal.md +145 -0
- package/design-systems/premium-luxury.md +106 -0
- package/design-systems/product-type-design-map.md +48 -0
- package/design-systems/soft-warm.md +123 -0
- package/design-systems/tech-utility.md +113 -0
- package/desktop/01-standards/desktop-app-standard.md +72 -0
- package/desktop/01-standards/desktop-design.md +71 -0
- package/development/00-governance/document-template.md +41 -0
- package/development/01-standards/api-versioning-strategies.md +432 -0
- package/development/01-standards/authentication-patterns-complete.md +479 -0
- package/development/01-standards/css-architecture-complete.md +550 -0
- package/development/01-standards/database-migration-strategies.md +484 -0
- package/development/01-standards/elasticsearch-complete.md +347 -0
- package/development/01-standards/git-complete.md +371 -0
- package/development/01-standards/golang-complete.md +1565 -0
- package/development/01-standards/graphql-complete.md +298 -0
- package/development/01-standards/javascript-bundlers-complete.md +469 -0
- package/development/01-standards/javascript-typescript-complete.md +528 -0
- package/development/01-standards/jest-complete.md +275 -0
- package/development/01-standards/linux-complete.md +234 -0
- package/development/01-standards/logging-observability-complete.md +526 -0
- package/development/01-standards/microservices-communication.md +502 -0
- package/development/01-standards/mongodb-complete.md +406 -0
- package/development/01-standards/oauth2-complete.md +285 -0
- package/development/01-standards/performance-optimization-complete.md +289 -0
- package/development/01-standards/playwright-complete.md +247 -0
- package/development/01-standards/postgresql-complete.md +456 -0
- package/development/01-standards/pytest-complete.md +340 -0
- package/development/01-standards/python-async-programming.md +902 -0
- package/development/01-standards/python-complete.md +956 -0
- package/development/01-standards/python-decorators-complete.md +799 -0
- package/development/01-standards/python-design-patterns.md +2854 -0
- package/development/01-standards/python-packaging-distribution.md +420 -0
- package/development/01-standards/python-testing-strategies.md +607 -0
- package/development/01-standards/python-web-frameworks-comparison.md +471 -0
- package/development/01-standards/redis-complete.md +317 -0
- package/development/01-standards/rest-api-complete.md +316 -0
- package/development/01-standards/rust-complete.md +578 -0
- package/development/01-standards/typescript-advanced-types.md +1513 -0
- package/development/01-standards/web-security-complete.md +292 -0
- package/development/02-playbooks/api-design-playbook.md +810 -0
- package/development/02-playbooks/database-migration-playbook.md +580 -0
- package/development/02-playbooks/debugging-playbook.md +692 -0
- package/development/02-playbooks/feature-delivery-playbook.md +430 -0
- package/development/02-playbooks/incident-hotfix-playbook.md +387 -0
- package/development/02-playbooks/performance-optimization-playbook.md +531 -0
- package/development/02-playbooks/performance-tuning-playbook.md +652 -0
- package/development/02-playbooks/refactor-playbook.md +403 -0
- package/development/02-playbooks/release-playbook.md +469 -0
- package/development/03-checklists/architecture-review-checklist.md +168 -0
- package/development/03-checklists/data-migration-checklist.md +157 -0
- package/development/03-checklists/oncall-handover-checklist.md +173 -0
- package/development/03-checklists/pr-checklist.md +158 -0
- package/development/03-checklists/production-readiness-checklist.md +190 -0
- package/development/03-checklists/release-readiness-checklist.md +154 -0
- package/development/03-checklists/security-review-checklist.md +182 -0
- package/development/04-antipatterns/api-antipatterns.md +657 -0
- package/development/04-antipatterns/architecture-antipatterns.md +686 -0
- package/development/04-antipatterns/backend-antipatterns.md +648 -0
- package/development/04-antipatterns/cicd-antipatterns.md +540 -0
- package/development/04-antipatterns/code-smell-antipatterns.md +571 -0
- package/development/04-antipatterns/data-antipatterns.md +658 -0
- package/development/04-antipatterns/database-antipatterns.md +578 -0
- package/development/04-antipatterns/frontend-antipatterns.md +635 -0
- package/development/04-antipatterns/reliability-antipatterns.md +700 -0
- package/development/04-antipatterns/security-antipatterns.md +747 -0
- package/development/05-cases/case-api-version-migration.md +428 -0
- package/development/05-cases/case-authorization-hardening.md +383 -0
- package/development/05-cases/case-bluegreen-rollback.md +466 -0
- package/development/05-cases/case-cache-snowball-protection.md +485 -0
- package/development/05-cases/case-ci-cd-pipeline.md +544 -0
- package/development/05-cases/case-database-scaling.md +500 -0
- package/development/05-cases/case-db-hotspot-optimization.md +487 -0
- package/development/05-cases/case-incident-mttr-reduction.md +563 -0
- package/development/05-cases/case-microservice-migration.md +375 -0
- package/development/05-cases/case-performance-optimization.md +406 -0
- package/development/05-cases/case-security-incident-response.md +345 -0
- package/development/06-glossary/full-stack-glossary.md +166 -0
- package/development/09-maturity/quarterly-audit-template.md +35 -0
- package/development/11-ui-excellence/ui-aesthetic-system.md +41 -0
- package/development/11-ui-excellence/ui-engineering-excellence.md +435 -0
- package/development/12-scenarios/development-scenarios-guide.md +565 -0
- package/development/13-implementation-assets/implementation-toolkit.md +282 -0
- package/development/13-implementation-assets/knowledge-gates-execution.md +43 -0
- package/development/14-full-lifecycle/software-lifecycle-gates.md +511 -0
- package/development/15-lifecycle-templates/project-templates-collection.md +791 -0
- package/development/api-contract-and-versioning-guide.md +36 -0
- package/development/api-governance-complete.md +43 -0
- package/development/backend-engineering-complete.md +43 -0
- package/development/code-review-quality-complete.md +43 -0
- package/development/concurrency-reliability-complete.md +43 -0
- package/development/database-engineering-complete.md +43 -0
- package/development/engineering-effectiveness-complete.md +43 -0
- package/development/engineering-standards-deep-dive.md +38 -0
- package/development/frontend-engineering-complete.md +43 -0
- package/development/performance-capacity-complete.md +43 -0
- package/development/refactor-migration-complete.md +42 -0
- package/development/refactoring-and-techdebt-playbook.md +37 -0
- package/development/security-in-development-complete.md +43 -0
- package/devops/01-standards/cicd-pipeline-complete.md +262 -0
- package/devops/01-standards/docker-complete.md +1490 -0
- package/devops/01-standards/github-actions-complete.md +337 -0
- package/devops/01-standards/kubernetes-complete.md +638 -0
- package/devops/01-standards/terraform-complete.md +2117 -0
- package/devops/02-playbooks/docker-compose-playbook.md +233 -0
- package/devops/02-playbooks/docker-k8s-production-playbook.md +186 -0
- package/devops/02-playbooks/docker-production-playbook.md +952 -0
- package/edge-iot/01-standards/edge-iot-complete.md +473 -0
- package/experts/architect/api-design.md +178 -0
- package/experts/architect/methodology.md +124 -0
- package/experts/architect/security.md +75 -0
- package/experts/backend-lead/methodology.md +216 -0
- package/experts/devops/methodology.md +160 -0
- package/experts/frontend-lead/methodology.md +178 -0
- package/experts/product-manager/industry/ecommerce.md +43 -0
- package/experts/product-manager/industry/saas.md +40 -0
- package/experts/product-manager/methodology.md +97 -0
- package/experts/qa-lead/methodology.md +123 -0
- package/experts/qa-lead/test-strategy.md +128 -0
- package/experts/uiux-designer/methodology.md +125 -0
- package/frontend/01-standards/accessibility-complete.md +532 -0
- package/frontend/01-standards/accessibility-standard.md +74 -0
- package/frontend/01-standards/admin-dashboard-and-crud.md +72 -0
- package/frontend/01-standards/design-tokens-complete.md +444 -0
- package/frontend/01-standards/forms-and-validation.md +77 -0
- package/frontend/01-standards/frontend-architecture-and-layering.md +119 -0
- package/frontend/01-standards/i18n-and-localization.md +65 -0
- package/frontend/01-standards/nextjs-complete.md +451 -0
- package/frontend/01-standards/react-complete.md +713 -0
- package/frontend/01-standards/react-hooks-complete-guide.md +1100 -0
- package/frontend/01-standards/react-hooks-complete.md +1171 -0
- package/frontend/01-standards/seo-and-web-vitals.md +77 -0
- package/frontend/01-standards/state-management-complete.md +444 -0
- package/frontend/01-standards/vue-complete.md +499 -0
- package/frontend/01-standards/vue3-complete.md +2002 -0
- package/frontend/01-standards/web-framework-best-practices.md +64 -0
- package/frontend/01-standards/web-performance-complete.md +495 -0
- package/frontend/02-playbooks/accessibility-a11y-playbook.md +161 -0
- package/frontend/02-playbooks/frontend-performance-playbook.md +707 -0
- package/frontend/02-playbooks/i18n-internationalization-playbook.md +120 -0
- package/frontend/02-playbooks/performance-optimization-playbook.md +163 -0
- package/frontend/02-playbooks/react-nextjs-production-playbook.md +167 -0
- package/frontend/02-playbooks/react-state-management-playbook.md +173 -0
- package/frontend/03-checklists/component-quality-checklist.md +166 -0
- package/frontend/03-checklists/frontend-launch-checklist.md +299 -0
- package/frontend/04-antipatterns/frontend-antipatterns.md +886 -0
- package/frontend/05-cases/case-performance-optimization.md +274 -0
- package/harmony/01-standards/harmonyos-arkts-standard.md +75 -0
- package/harmony/01-standards/harmonyos-design.md +65 -0
- package/high-quality-engineering-playbook.md +54 -0
- package/incident/01-standards/incident-response-complete.md +303 -0
- package/incident/02-playbooks/chaos-engineering-playbook.md +883 -0
- package/incident/02-playbooks/postmortem-playbook.md +398 -0
- package/incident/03-checklists/incident-readiness-checklist.md +181 -0
- package/incident/04-antipatterns/incident-antipatterns.md +490 -0
- package/incident/05-cases/case-cascade-failure.md +176 -0
- package/incident/06-glossary/incident-glossary.md +114 -0
- package/incident/postmortem-and-response-deep-dive.md +39 -0
- package/industries/ecommerce/ecommerce-complete.md +631 -0
- package/industries/education/education-complete.md +555 -0
- package/industries/fintech/fintech-complete.md +501 -0
- package/industries/gaming/gaming-complete.md +587 -0
- package/industries/healthcare/healthcare-complete.md +452 -0
- package/low-code/01-standards/low-code-complete.md +944 -0
- package/miniprogram/01-standards/ai-common-mistakes.md +61 -0
- package/miniprogram/01-standards/miniprogram-custom-navbar-capsule.md +77 -0
- package/miniprogram/01-standards/miniprogram-design.md +61 -0
- package/miniprogram/01-standards/miniprogram-standard.md +81 -0
- package/mobile/01-standards/android-material-design.md +70 -0
- package/mobile/01-standards/flutter-complete.md +384 -0
- package/mobile/01-standards/ios-design-hig.md +78 -0
- package/mobile/01-standards/mobile-app-standard.md +85 -0
- package/mobile/01-standards/react-native-complete.md +352 -0
- package/mobile/02-playbooks/mobile-cross-platform-playbook.md +175 -0
- package/mobile/02-playbooks/mobile-performance.md +473 -0
- package/mobile/03-checklists/mobile-release-checklist.md +234 -0
- package/mobile/04-antipatterns/mobile-antipatterns.md +798 -0
- package/mobile/05-cases/case-app-performance.md +500 -0
- package/mobile/05-cases/case-app-startup-optimization.md +218 -0
- package/mobile/06-glossary/mobile-glossary.md +484 -0
- package/observability/01-standards/observability-standards.md +103 -0
- package/observability/02-playbooks/prometheus-grafana-playbook.md +135 -0
- package/observability/02-playbooks/structured-logging-playbook.md +73 -0
- package/observability/03-checklists/observability-checklist.md +54 -0
- package/observability/04-antipatterns/observability-antipatterns.md +106 -0
- package/operations/01-standards/prometheus-monitoring-complete.md +1578 -0
- package/operations/02-playbooks/capacity-planning-playbook.md +620 -0
- package/operations/03-checklists/production-launch-checklist.md +365 -0
- package/operations/04-antipatterns/operations-antipatterns.md +664 -0
- package/operations/05-cases/case-sre-practices.md +581 -0
- package/operations/06-glossary/operations-glossary.md +120 -0
- package/operations/aiops-anomaly-detection.md +758 -0
- package/operations/capacity-planning.md +1061 -0
- package/operations/chaos-engineering.md +659 -0
- package/operations/incident-command-system.md +38 -0
- package/operations/observability-complete.md +442 -0
- package/operations/slo-sli-playbook.md +517 -0
- package/operations/sre-operations-deep-dive.md +39 -0
- package/package.json +8 -0
- package/performance/01-standards/performance-and-scalability.md +80 -0
- package/performance/01-standards/performance-standards.md +156 -0
- package/performance/02-playbooks/query-optimization-playbook.md +103 -0
- package/performance/03-checklists/performance-checklist.md +56 -0
- package/performance/04-antipatterns/performance-antipatterns.md +146 -0
- package/product/01-standards/product-management-complete.md +285 -0
- package/product/02-playbooks/feature-launch-playbook.md +207 -0
- package/product/02-playbooks/user-research-playbook.md +532 -0
- package/product/03-checklists/feature-launch-checklist.md +275 -0
- package/product/04-antipatterns/product-antipatterns.md +355 -0
- package/product/05-cases/case-mvp-to-scale.md +384 -0
- package/product/06-glossary/product-glossary.md +462 -0
- package/product/feature-prioritization-framework.md +40 -0
- package/product/kpi-and-metric-tree.md +37 -0
- package/product/product-discovery-and-prd-deep-dive.md +41 -0
- package/quantum/01-standards/quantum-complete.md +1186 -0
- package/security/01-standards/api-security-complete.md +511 -0
- package/security/01-standards/container-runtime-security.md +574 -0
- package/security/01-standards/data-protection-gdpr.md +543 -0
- package/security/01-standards/owasp-top10-complete.md +1890 -0
- package/security/01-standards/secure-coding-baseline.md +90 -0
- package/security/01-standards/supply-chain-security.md +441 -0
- package/security/01-standards/web-security-checklist.md +108 -0
- package/security/01-standards/zero-trust-architecture.md +521 -0
- package/security/02-playbooks/auth-sso-playbook.md +166 -0
- package/security/02-playbooks/incident-response-security-playbook.md +588 -0
- package/security/02-playbooks/owasp-api-security-playbook.md +129 -0
- package/security/02-playbooks/payment-integration-playbook.md +119 -0
- package/security/02-playbooks/penetration-testing-playbook.md +517 -0
- package/security/03-checklists/security-audit-checklist.md +356 -0
- package/security/04-antipatterns/security-coding-antipatterns.md +580 -0
- package/security/05-cases/case-log4shell-incident.md +537 -0
- package/security/05-cases/case-major-breaches.md +468 -0
- package/security/06-glossary/security-glossary.md +212 -0
- package/security/compliance-automation.md +993 -0
- package/security/container-security.md +680 -0
- package/security/devsecops-complete.md +426 -0
- package/security/sast-dast-sca.md +775 -0
- package/security/secrets-management.md +594 -0
- package/security/security-architecture-deep-dive.md +37 -0
- package/security/threat-modeling-stride-playbook.md +40 -0
- package/seed-templates/auth-system.md +59 -0
- package/seed-templates/blog-content.md +94 -0
- package/seed-templates/dashboard.md +89 -0
- package/seed-templates/docs-site.md +73 -0
- package/seed-templates/e-commerce.md +50 -0
- package/seed-templates/saas-landing.md +92 -0
- package/seed-templates/settings-page.md +51 -0
- package/testing/01-standards/test-strategy-and-layering.md +83 -0
- package/testing/01-standards/testing-strategy-complete.md +422 -0
- package/testing/01-standards/unit-testing-best-practices.md +118 -0
- package/testing/02-playbooks/e2e-testing-playbook.md +988 -0
- package/testing/02-playbooks/testing-strategy-playbook.md +126 -0
- package/testing/03-checklists/test-strategy-checklist.md +208 -0
- package/testing/04-antipatterns/testing-antipatterns.md +718 -0
- package/testing/05-cases/case-testing-transformation.md +300 -0
- package/testing/06-glossary/testing-glossary.md +110 -0
- package/testing/risk-based-test-matrix.md +36 -0
- package/testing/testing-strategy-deep-dive.md +37 -0
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: secure-coding-baseline
|
|
3
|
+
title: 安全编码基线(商业级必读 · OWASP 驱动)
|
|
4
|
+
domain: security
|
|
5
|
+
category: 01-standards
|
|
6
|
+
difficulty: intermediate
|
|
7
|
+
tags: [安全, security, owasp, 鉴权, 授权, 注入, sql注入, xss, csrf, 密钥, 密码哈希, 限流, 最小权限, 商业级]
|
|
8
|
+
quality_score: 95
|
|
9
|
+
last_updated: 2026-06-19
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# 安全编码基线(商业级必读 · OWASP 驱动)
|
|
13
|
+
|
|
14
|
+
> 上线即面对真实攻击。这是每个商业级后端/全栈必须满足的安全底线(对齐 OWASP Top 10)。**不是可选项**,缺任何一条都可能造成数据泄露/资金损失。
|
|
15
|
+
|
|
16
|
+
## 1. 认证(Authentication)
|
|
17
|
+
|
|
18
|
+
- 密码**必须用 bcrypt / argon2 / scrypt 加盐哈希**存储,绝不明文、绝不用 MD5/SHA1。
|
|
19
|
+
- 登录失败信息模糊("账号或密码错误"),不暴露账号是否存在;登录加限流/锁定防爆破。
|
|
20
|
+
- JWT:设短过期 + refresh 机制;签名算法固定(拒绝 `alg:none`);密钥够强且在 env;敏感场景用服务端 session。
|
|
21
|
+
- 多因素(MFA)用于高权限/敏感操作。
|
|
22
|
+
|
|
23
|
+
## 2. 授权(Authorization)—— 越权是头号漏洞
|
|
24
|
+
|
|
25
|
+
- **每个受保护操作都要在服务层校验"这个用户能否操作这条资源"**(对象级授权),不能只靠"登录了就行"或前端隐藏按钮。
|
|
26
|
+
- 防 IDOR / BOLA:`GET /orders/{id}` 必须校验该 order 属于当前用户,不能凭 id 直取。
|
|
27
|
+
- 最小权限原则:默认拒绝,按角色/权限显式放行;后台/管理端额外加固。
|
|
28
|
+
|
|
29
|
+
## 3. 注入(Injection)
|
|
30
|
+
|
|
31
|
+
- **SQL 一律参数化/预编译或用 ORM 参数绑定**,绝不字符串拼接 SQL。
|
|
32
|
+
- 命令执行避免拼接用户输入;必须时用白名单 + 转义。
|
|
33
|
+
- NoSQL / LDAP / XPath 同理参数化。
|
|
34
|
+
- 模板/表达式不要 eval 用户输入。
|
|
35
|
+
|
|
36
|
+
## 4. 输入校验与输出编码
|
|
37
|
+
|
|
38
|
+
- 所有外部输入在边界校验(类型/长度/范围/白名单),拒绝非法而非"尽量修"。
|
|
39
|
+
- 输出到 HTML 做转义防 XSS;前端避免 `dangerouslySetInnerHTML`/`v-html` 直出用户内容;设置 CSP。
|
|
40
|
+
- 文件上传校验类型/大小/内容,存储隔离、重命名、不可执行。
|
|
41
|
+
|
|
42
|
+
## 5. 会话与 CSRF
|
|
43
|
+
|
|
44
|
+
- Cookie 设 `HttpOnly` + `Secure` + `SameSite`;token 不放可被 JS 读取处时防 XSS 窃取。
|
|
45
|
+
- 状态变更(表单/写操作)防 CSRF:SameSite cookie + CSRF token 或仅用 Bearer。
|
|
46
|
+
- 退出登录使 token/session 失效。
|
|
47
|
+
|
|
48
|
+
## 6. 密钥与配置
|
|
49
|
+
|
|
50
|
+
- **密钥/密码/token 绝不硬编码进源码或提交进仓库**,一律走环境变量/密钥管理(Vault/KMS),`.env` 入 gitignore,提供 `.env.example` 占位。
|
|
51
|
+
- 不在日志/报错/响应里打印密钥、密码、完整 token、PII。
|
|
52
|
+
- 第三方密钥定期轮换;不同环境不同密钥。
|
|
53
|
+
|
|
54
|
+
## 7. 传输与数据保护
|
|
55
|
+
|
|
56
|
+
- 全站 HTTPS / TLS;启用 HSTS。
|
|
57
|
+
- 敏感数据(PII、支付)传输加密、必要时静态加密;最小化收集与留存。
|
|
58
|
+
- 合规(GDPR/个保法):可删除、可导出、明确留存期。
|
|
59
|
+
|
|
60
|
+
## 8. 依赖与供应链
|
|
61
|
+
|
|
62
|
+
- 锁定依赖版本(lockfile);CI 跑 `npm audit` / `pip-audit` / `cargo audit` 扫漏洞。
|
|
63
|
+
- 不引入未审查的小众包(防 typosquatting/供应链投毒)。
|
|
64
|
+
- 及时升级有 CVE 的依赖。
|
|
65
|
+
|
|
66
|
+
## 9. 限流、错误与日志
|
|
67
|
+
|
|
68
|
+
- 登录、发码、支付、搜索等加限流(按 IP/用户/端点)。
|
|
69
|
+
- 错误对客户端模糊(500 不暴露栈/SQL/路径),对内记录完整上下文(requestId)。
|
|
70
|
+
- 安全相关事件(登录、权限变更、失败尝试)审计日志。
|
|
71
|
+
|
|
72
|
+
## 10. 反模式(出现即不合格)
|
|
73
|
+
|
|
74
|
+
- 明文/弱哈希存密码;JWT 允许 `alg:none`、永不过期。
|
|
75
|
+
- 只校验登录、不做对象级授权(可越权访问他人数据)。
|
|
76
|
+
- 拼接 SQL;eval 用户输入;`v-html`/`dangerouslySetInnerHTML` 直出用户内容。
|
|
77
|
+
- 密钥硬编码/提交进仓库;日志打印密钥/PII。
|
|
78
|
+
- 无限流、无依赖漏洞扫描、500 暴露内部细节。
|
|
79
|
+
|
|
80
|
+
## 11. 最低交付 checklist
|
|
81
|
+
|
|
82
|
+
- [ ] 密码 bcrypt/argon2 哈希;登录限流防爆破;JWT 短过期且算法固定。
|
|
83
|
+
- [ ] 每个受保护操作做对象级授权(防 IDOR/BOLA),默认拒绝、最小权限。
|
|
84
|
+
- [ ] SQL 全参数化;输入边界校验;输出转义 + CSP 防 XSS。
|
|
85
|
+
- [ ] 状态变更防 CSRF;Cookie HttpOnly/Secure/SameSite。
|
|
86
|
+
- [ ] 密钥全走 env/密钥管理,不入源码/日志;HTTPS+HSTS。
|
|
87
|
+
- [ ] 依赖锁定 + CI 漏洞扫描;关键端点限流;500 不泄露细节 + 审计日志。
|
|
88
|
+
|
|
89
|
+
---
|
|
90
|
+
**参考**:OWASP Top 10、OWASP ASVS、OWASP Cheat Sheets、CWE。
|
|
@@ -0,0 +1,441 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: supply-chain-security
|
|
3
|
+
title: 软件供应链安全
|
|
4
|
+
domain: security
|
|
5
|
+
category: 01-standards
|
|
6
|
+
difficulty: intermediate
|
|
7
|
+
tags: [agent, chain, checklist, security, supply, 实战代码示例, 常见陷阱, 最佳实践]
|
|
8
|
+
quality_score: 70
|
|
9
|
+
last_updated: 2026-06-15
|
|
10
|
+
---
|
|
11
|
+
# 软件供应链安全
|
|
12
|
+
|
|
13
|
+
## 概述
|
|
14
|
+
软件供应链攻击通过篡改构建流程、注入恶意依赖或利用已知漏洞来危害系统安全。本指南覆盖依赖扫描、SBOM、签名验证、Lock文件、CVE监控等完整供应链安全体系。
|
|
15
|
+
|
|
16
|
+
## 核心概念
|
|
17
|
+
|
|
18
|
+
### 1. 供应链攻击向量
|
|
19
|
+
- **依赖混淆(Dependency Confusion)**: 公共仓库中注册与内部包同名的恶意包
|
|
20
|
+
- **Typosquatting**: 注册与流行包名相似的恶意包(如requets vs requests)
|
|
21
|
+
- **恶意维护者**: 合法包的维护者被收买或账号被盗
|
|
22
|
+
- **构建系统入侵**: CI/CD流水线被注入恶意步骤
|
|
23
|
+
- **已知漏洞利用**: 使用含CVE的过期依赖
|
|
24
|
+
|
|
25
|
+
### 2. 防护层次
|
|
26
|
+
| 层次 | 防护措施 | 工具 |
|
|
27
|
+
|------|----------|------|
|
|
28
|
+
| 依赖选择 | 评估包的可信度 | Socket.dev/Snyk Advisor |
|
|
29
|
+
| 依赖锁定 | Lock文件固定版本和哈希 | pip freeze/poetry.lock/npm lockfile |
|
|
30
|
+
| 漏洞扫描 | 持续扫描已知CVE | Snyk/Trivy/Dependabot/OSV |
|
|
31
|
+
| SBOM | 生成软件物料清单 | Syft/CycloneDX/SPDX |
|
|
32
|
+
| 签名验证 | 验证包的完整性和来源 | Sigstore/cosign/pip --require-hashes |
|
|
33
|
+
| 构建安全 | 可重现构建/最小权限 | SLSA/GitHub Actions |
|
|
34
|
+
|
|
35
|
+
### 3. SLSA框架(Supply chain Levels for Software Artifacts)
|
|
36
|
+
- **Level 1**: 构建过程有文档记录
|
|
37
|
+
- **Level 2**: 版本控制和构建服务
|
|
38
|
+
- **Level 3**: 安全的构建平台,不可篡改的出处证明
|
|
39
|
+
- **Level 4**: 双人审核,密封可重现构建
|
|
40
|
+
|
|
41
|
+
## 实战代码示例
|
|
42
|
+
|
|
43
|
+
### 依赖锁定(Python)
|
|
44
|
+
|
|
45
|
+
```toml
|
|
46
|
+
# pyproject.toml — 指定版本范围
|
|
47
|
+
[project]
|
|
48
|
+
dependencies = [
|
|
49
|
+
"fastapi>=0.100,<1.0",
|
|
50
|
+
"pydantic>=2.0,<3.0",
|
|
51
|
+
"httpx>=0.25,<1.0",
|
|
52
|
+
]
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
# 使用pip-compile生成精确锁文件
|
|
57
|
+
pip install pip-tools
|
|
58
|
+
|
|
59
|
+
# 生成requirements.txt(含哈希)
|
|
60
|
+
pip-compile --generate-hashes pyproject.toml -o requirements.txt
|
|
61
|
+
|
|
62
|
+
# 生成的requirements.txt包含哈希验证
|
|
63
|
+
# fastapi==0.109.0 \
|
|
64
|
+
# --hash=sha256:abcdef... \
|
|
65
|
+
# --hash=sha256:123456...
|
|
66
|
+
|
|
67
|
+
# 安装时验证哈希
|
|
68
|
+
pip install --require-hashes -r requirements.txt
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
# Poetry锁定
|
|
73
|
+
poetry lock
|
|
74
|
+
poetry install --no-root # 精确安装lockfile中的版本
|
|
75
|
+
|
|
76
|
+
# uv锁定
|
|
77
|
+
uv lock
|
|
78
|
+
uv sync
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### 依赖扫描CI集成
|
|
82
|
+
|
|
83
|
+
```yaml
|
|
84
|
+
# .github/workflows/security.yml
|
|
85
|
+
name: Supply Chain Security
|
|
86
|
+
on:
|
|
87
|
+
push:
|
|
88
|
+
branches: [main]
|
|
89
|
+
pull_request:
|
|
90
|
+
schedule:
|
|
91
|
+
- cron: '0 8 * * 1' # 每周一扫描
|
|
92
|
+
|
|
93
|
+
jobs:
|
|
94
|
+
dependency-scan:
|
|
95
|
+
runs-on: ubuntu-latest
|
|
96
|
+
steps:
|
|
97
|
+
- uses: actions/checkout@v4
|
|
98
|
+
|
|
99
|
+
# Python依赖扫描
|
|
100
|
+
- name: Run Trivy vulnerability scanner
|
|
101
|
+
uses: aquasecurity/trivy-action@master
|
|
102
|
+
with:
|
|
103
|
+
scan-type: 'fs'
|
|
104
|
+
scan-ref: '.'
|
|
105
|
+
format: 'sarif'
|
|
106
|
+
output: 'trivy-results.sarif'
|
|
107
|
+
severity: 'HIGH,CRITICAL'
|
|
108
|
+
|
|
109
|
+
- name: Upload Trivy scan results
|
|
110
|
+
uses: github/codeql-action/upload-sarif@v3
|
|
111
|
+
with:
|
|
112
|
+
sarif_file: 'trivy-results.sarif'
|
|
113
|
+
|
|
114
|
+
# npm依赖审计
|
|
115
|
+
- name: npm audit
|
|
116
|
+
working-directory: frontend
|
|
117
|
+
run: npm audit --audit-level=high
|
|
118
|
+
|
|
119
|
+
# 使用OSV-Scanner
|
|
120
|
+
- name: OSV Scanner
|
|
121
|
+
uses: google/osv-scanner-action/osv-scanner-action@v1
|
|
122
|
+
with:
|
|
123
|
+
scan-args: |-
|
|
124
|
+
--lockfile=requirements.txt
|
|
125
|
+
--lockfile=frontend/package-lock.json
|
|
126
|
+
|
|
127
|
+
sbom-generation:
|
|
128
|
+
runs-on: ubuntu-latest
|
|
129
|
+
steps:
|
|
130
|
+
- uses: actions/checkout@v4
|
|
131
|
+
|
|
132
|
+
- name: Generate SBOM
|
|
133
|
+
uses: anchore/sbom-action@v0
|
|
134
|
+
with:
|
|
135
|
+
format: cyclonedx-json
|
|
136
|
+
output-file: sbom.json
|
|
137
|
+
|
|
138
|
+
- name: Upload SBOM
|
|
139
|
+
uses: actions/upload-artifact@v4
|
|
140
|
+
with:
|
|
141
|
+
name: sbom
|
|
142
|
+
path: sbom.json
|
|
143
|
+
|
|
144
|
+
license-check:
|
|
145
|
+
runs-on: ubuntu-latest
|
|
146
|
+
steps:
|
|
147
|
+
- uses: actions/checkout@v4
|
|
148
|
+
- uses: actions/setup-python@v5
|
|
149
|
+
with:
|
|
150
|
+
python-version: '3.12'
|
|
151
|
+
- name: Check licenses
|
|
152
|
+
run: |
|
|
153
|
+
pip install pip-licenses
|
|
154
|
+
pip install -e .
|
|
155
|
+
pip-licenses --fail-on="GPL-3.0;AGPL-3.0" --format=json > licenses.json
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
### SBOM生成与验证
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
# 使用Syft生成SBOM
|
|
162
|
+
syft . -o cyclonedx-json > sbom.json
|
|
163
|
+
syft . -o spdx-json > sbom-spdx.json
|
|
164
|
+
|
|
165
|
+
# 使用Grype扫描SBOM中的漏洞
|
|
166
|
+
grype sbom:sbom.json --fail-on high
|
|
167
|
+
|
|
168
|
+
# Python原生SBOM
|
|
169
|
+
pip install cyclonedx-bom
|
|
170
|
+
cyclonedx-py environment -o sbom.json --format json
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
```python
|
|
174
|
+
# 程序化生成SBOM
|
|
175
|
+
from cyclonedx.model.bom import Bom
|
|
176
|
+
from cyclonedx.model.component import Component, ComponentType
|
|
177
|
+
from cyclonedx.output.json import JsonV1Dot5
|
|
178
|
+
|
|
179
|
+
def generate_sbom(requirements_file: str) -> str:
|
|
180
|
+
"""从requirements.txt生成SBOM"""
|
|
181
|
+
bom = Bom()
|
|
182
|
+
|
|
183
|
+
with open(requirements_file) as f:
|
|
184
|
+
for line in f:
|
|
185
|
+
line = line.strip()
|
|
186
|
+
if not line or line.startswith('#'):
|
|
187
|
+
continue
|
|
188
|
+
name, _, version = line.partition('==')
|
|
189
|
+
if version:
|
|
190
|
+
component = Component(
|
|
191
|
+
name=name.strip(),
|
|
192
|
+
version=version.strip(),
|
|
193
|
+
type=ComponentType.LIBRARY,
|
|
194
|
+
)
|
|
195
|
+
bom.components.add(component)
|
|
196
|
+
|
|
197
|
+
output = JsonV1Dot5(bom)
|
|
198
|
+
return output.output_as_string()
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
### 签名验证
|
|
202
|
+
|
|
203
|
+
```bash
|
|
204
|
+
# 使用cosign签名容器镜像
|
|
205
|
+
cosign sign --key cosign.key myregistry.com/myapp:v1.0
|
|
206
|
+
|
|
207
|
+
# 验证签名
|
|
208
|
+
cosign verify --key cosign.pub myregistry.com/myapp:v1.0
|
|
209
|
+
|
|
210
|
+
# 使用Sigstore无密钥签名(基于OIDC)
|
|
211
|
+
cosign sign --identity-token=$(gcloud auth print-identity-token) myregistry.com/myapp:v1.0
|
|
212
|
+
cosign verify --certificate-identity=user@example.com \
|
|
213
|
+
--certificate-oidc-issuer=https://accounts.google.com \
|
|
214
|
+
myregistry.com/myapp:v1.0
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
```yaml
|
|
218
|
+
# Kubernetes准入控制验证镜像签名
|
|
219
|
+
# Kyverno策略
|
|
220
|
+
apiVersion: kyverno.io/v1
|
|
221
|
+
kind: ClusterPolicy
|
|
222
|
+
metadata:
|
|
223
|
+
name: verify-image-signature
|
|
224
|
+
spec:
|
|
225
|
+
validationFailureAction: Enforce
|
|
226
|
+
rules:
|
|
227
|
+
- name: verify-cosign-signature
|
|
228
|
+
match:
|
|
229
|
+
resources:
|
|
230
|
+
kinds:
|
|
231
|
+
- Pod
|
|
232
|
+
verifyImages:
|
|
233
|
+
- imageReferences:
|
|
234
|
+
- "myregistry.com/*"
|
|
235
|
+
attestors:
|
|
236
|
+
- entries:
|
|
237
|
+
- keys:
|
|
238
|
+
publicKeys: |-
|
|
239
|
+
-----BEGIN PUBLIC KEY-----
|
|
240
|
+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...
|
|
241
|
+
-----END PUBLIC KEY-----
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
### 依赖混淆防护
|
|
245
|
+
|
|
246
|
+
```ini
|
|
247
|
+
# pip.conf — 配置内部仓库优先
|
|
248
|
+
[global]
|
|
249
|
+
index-url = https://internal.pypi.example.com/simple/
|
|
250
|
+
extra-index-url = https://pypi.org/simple/
|
|
251
|
+
|
|
252
|
+
# 更安全: 只使用内部仓库(内部仓库代理外部包)
|
|
253
|
+
[global]
|
|
254
|
+
index-url = https://internal.pypi.example.com/simple/
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
```bash
|
|
258
|
+
# npm — 配置scope到内部仓库
|
|
259
|
+
# .npmrc
|
|
260
|
+
@myorg:registry=https://npm.internal.example.com/
|
|
261
|
+
registry=https://registry.npmjs.org/
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
```python
|
|
265
|
+
# 自动检测可疑依赖
|
|
266
|
+
import subprocess
|
|
267
|
+
import json
|
|
268
|
+
|
|
269
|
+
def audit_new_dependencies(requirements_before: str, requirements_after: str):
|
|
270
|
+
"""检测新增依赖是否可疑"""
|
|
271
|
+
before = set(parse_requirements(requirements_before))
|
|
272
|
+
after = set(parse_requirements(requirements_after))
|
|
273
|
+
new_deps = after - before
|
|
274
|
+
|
|
275
|
+
alerts = []
|
|
276
|
+
for dep in new_deps:
|
|
277
|
+
info = get_pypi_info(dep)
|
|
278
|
+
if not info:
|
|
279
|
+
alerts.append(f"Package {dep} not found on PyPI")
|
|
280
|
+
continue
|
|
281
|
+
|
|
282
|
+
# 检查可疑指标
|
|
283
|
+
if info["downloads_last_month"] < 100:
|
|
284
|
+
alerts.append(f"{dep}: Very low downloads ({info['downloads_last_month']})")
|
|
285
|
+
if info["age_days"] < 30:
|
|
286
|
+
alerts.append(f"{dep}: Very new package ({info['age_days']} days)")
|
|
287
|
+
if info["maintainer_count"] == 1:
|
|
288
|
+
alerts.append(f"{dep}: Single maintainer")
|
|
289
|
+
|
|
290
|
+
return alerts
|
|
291
|
+
```
|
|
292
|
+
|
|
293
|
+
### Dependabot配置
|
|
294
|
+
|
|
295
|
+
```yaml
|
|
296
|
+
# .github/dependabot.yml
|
|
297
|
+
version: 2
|
|
298
|
+
updates:
|
|
299
|
+
# Python依赖
|
|
300
|
+
- package-ecosystem: "pip"
|
|
301
|
+
directory: "/"
|
|
302
|
+
schedule:
|
|
303
|
+
interval: "weekly"
|
|
304
|
+
day: "monday"
|
|
305
|
+
open-pull-requests-limit: 10
|
|
306
|
+
reviewers:
|
|
307
|
+
- "security-team"
|
|
308
|
+
labels:
|
|
309
|
+
- "dependencies"
|
|
310
|
+
- "security"
|
|
311
|
+
# 自动合并小版本更新
|
|
312
|
+
allow:
|
|
313
|
+
- dependency-type: "direct"
|
|
314
|
+
ignore:
|
|
315
|
+
- dependency-name: "*"
|
|
316
|
+
update-types: ["version-update:semver-major"]
|
|
317
|
+
|
|
318
|
+
# npm依赖
|
|
319
|
+
- package-ecosystem: "npm"
|
|
320
|
+
directory: "/frontend"
|
|
321
|
+
schedule:
|
|
322
|
+
interval: "weekly"
|
|
323
|
+
open-pull-requests-limit: 10
|
|
324
|
+
|
|
325
|
+
# Docker基础镜像
|
|
326
|
+
- package-ecosystem: "docker"
|
|
327
|
+
directory: "/"
|
|
328
|
+
schedule:
|
|
329
|
+
interval: "weekly"
|
|
330
|
+
|
|
331
|
+
# GitHub Actions
|
|
332
|
+
- package-ecosystem: "github-actions"
|
|
333
|
+
directory: "/"
|
|
334
|
+
schedule:
|
|
335
|
+
interval: "weekly"
|
|
336
|
+
```
|
|
337
|
+
|
|
338
|
+
## 最佳实践
|
|
339
|
+
|
|
340
|
+
### 1. 依赖管理
|
|
341
|
+
- 使用锁文件固定所有依赖(包括传递依赖)的精确版本
|
|
342
|
+
- 生产安装使用`--require-hashes`验证完整性
|
|
343
|
+
- 定期更新依赖(至少每月一次)
|
|
344
|
+
- 审核新增依赖(下载量/维护活跃度/许可证)
|
|
345
|
+
|
|
346
|
+
### 2. 漏洞管理
|
|
347
|
+
- CI中集成漏洞扫描(阻断高危/严重)
|
|
348
|
+
- 配置Dependabot/Renovate自动PR
|
|
349
|
+
- 建立CVE响应流程(48小时内评估Critical)
|
|
350
|
+
- 维护已知漏洞的例外清单(含理由和到期日)
|
|
351
|
+
|
|
352
|
+
### 3. SBOM实践
|
|
353
|
+
- 每次发布生成SBOM
|
|
354
|
+
- SBOM存储在制品仓库
|
|
355
|
+
- 定期用SBOM扫描新发现的漏洞
|
|
356
|
+
- 合规需求时提供SBOM给客户
|
|
357
|
+
|
|
358
|
+
### 4. 构建安全
|
|
359
|
+
- CI/CD使用最小权限(GITHUB_TOKEN scope限制)
|
|
360
|
+
- Pin GitHub Actions到commit SHA而非tag
|
|
361
|
+
- 构建环境隔离(不共享缓存)
|
|
362
|
+
- 审核CI/CD配置变更
|
|
363
|
+
|
|
364
|
+
### 5. 内部仓库
|
|
365
|
+
- 设置内部包仓库代理外部源
|
|
366
|
+
- 配置依赖混淆防护(scope/namespace)
|
|
367
|
+
- 内部包使用组织scope(如@myorg/package)
|
|
368
|
+
- 定期审计仓库中的包
|
|
369
|
+
|
|
370
|
+
## 常见陷阱
|
|
371
|
+
|
|
372
|
+
### 陷阱1: 不锁定传递依赖
|
|
373
|
+
```bash
|
|
374
|
+
# 错误: requirements.txt只列直接依赖
|
|
375
|
+
fastapi
|
|
376
|
+
pydantic
|
|
377
|
+
|
|
378
|
+
# 正确: 锁定全部依赖链
|
|
379
|
+
fastapi==0.109.0
|
|
380
|
+
pydantic==2.5.3
|
|
381
|
+
starlette==0.35.1
|
|
382
|
+
anyio==4.2.0
|
|
383
|
+
# ... 所有传递依赖
|
|
384
|
+
```
|
|
385
|
+
|
|
386
|
+
### 陷阱2: CI中使用@latest
|
|
387
|
+
```yaml
|
|
388
|
+
# 错误: Action可能被篡改
|
|
389
|
+
- uses: actions/checkout@main
|
|
390
|
+
|
|
391
|
+
# 正确: 锁定到commit SHA
|
|
392
|
+
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
393
|
+
```
|
|
394
|
+
|
|
395
|
+
### 陷阱3: 忽略开发依赖的安全
|
|
396
|
+
```bash
|
|
397
|
+
# 开发依赖也可能被利用(恶意的eslint插件/pytest插件)
|
|
398
|
+
# 对dev依赖同样需要审计和扫描
|
|
399
|
+
```
|
|
400
|
+
|
|
401
|
+
### 陷阱4: 只依赖自动扫描
|
|
402
|
+
```python
|
|
403
|
+
# 自动扫描只能检测已知CVE
|
|
404
|
+
# 零日攻击和恶意包需要人工审核
|
|
405
|
+
# 对于新增依赖,应该:
|
|
406
|
+
# 1. 检查GitHub Stars/活跃度
|
|
407
|
+
# 2. 检查维护者背景
|
|
408
|
+
# 3. 检查包的实际代码(尤其是postinstall脚本)
|
|
409
|
+
```
|
|
410
|
+
|
|
411
|
+
## Agent Checklist
|
|
412
|
+
|
|
413
|
+
### 依赖锁定
|
|
414
|
+
- [ ] 所有项目使用锁文件
|
|
415
|
+
- [ ] 锁文件包含哈希值
|
|
416
|
+
- [ ] 锁文件提交到版本控制
|
|
417
|
+
- [ ] CI中安装使用锁文件
|
|
418
|
+
|
|
419
|
+
### 漏洞扫描
|
|
420
|
+
- [ ] CI集成自动漏洞扫描
|
|
421
|
+
- [ ] 高危/严重漏洞阻断构建
|
|
422
|
+
- [ ] Dependabot/Renovate已配置
|
|
423
|
+
- [ ] CVE响应流程已建立
|
|
424
|
+
|
|
425
|
+
### SBOM与合规
|
|
426
|
+
- [ ] 发布时生成SBOM
|
|
427
|
+
- [ ] 许可证合规检查已集成
|
|
428
|
+
- [ ] SBOM存储在制品仓库
|
|
429
|
+
- [ ] 可按需提供SBOM
|
|
430
|
+
|
|
431
|
+
### 构建安全
|
|
432
|
+
- [ ] CI/CD使用最小权限
|
|
433
|
+
- [ ] GitHub Actions锁定到SHA
|
|
434
|
+
- [ ] 构建环境隔离
|
|
435
|
+
- [ ] CI配置变更需要审核
|
|
436
|
+
|
|
437
|
+
### 仓库安全
|
|
438
|
+
- [ ] 配置内部包仓库
|
|
439
|
+
- [ ] 依赖混淆防护已启用
|
|
440
|
+
- [ ] 新增依赖有审核流程
|
|
441
|
+
- [ ] 定期审计依赖列表
|
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: web-security-checklist
|
|
3
|
+
title: Web 应用安全检查清单
|
|
4
|
+
domain: security
|
|
5
|
+
category: 03-checklists
|
|
6
|
+
difficulty: intermediate
|
|
7
|
+
tags: [security, web, checklist]
|
|
8
|
+
quality_score: 90
|
|
9
|
+
maintainer: security-team@umadev.com
|
|
10
|
+
last_updated: 2026-03-29
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
# Web 应用安全检查清单
|
|
14
|
+
|
|
15
|
+
## OWASP Top 10 (2021)
|
|
16
|
+
|
|
17
|
+
### 1. 访问控制失效
|
|
18
|
+
- [ ] 实施基于角色的访问控制 (RBAC)
|
|
19
|
+
- [ ] 验证所有 API 端点
|
|
20
|
+
- [ ] 使用最小权限原则
|
|
21
|
+
- [ ] 记录访问控制失败
|
|
22
|
+
|
|
23
|
+
### 2. 加密失败
|
|
24
|
+
- [ ] 强制使用 TLS 1.3+
|
|
25
|
+
- [ ] 加密敏感数据 (AES-256)
|
|
26
|
+
- [ ] 密钥轮换策略
|
|
27
|
+
- [ ] 禁用弱加密算法
|
|
28
|
+
|
|
29
|
+
### 3. 注入攻击
|
|
30
|
+
- [ ] 使用参数化查询
|
|
31
|
+
- [ ] 输入验证和白名单
|
|
32
|
+
- [ ] ORM 防护
|
|
33
|
+
- [ ] 错误信息不暴露 SQL
|
|
34
|
+
|
|
35
|
+
### 4. 不安全设计
|
|
36
|
+
- [ ] 威胁建模
|
|
37
|
+
- [ ] 安全开发生命周期 (SDLC)
|
|
38
|
+
- [ ] 最小权限设计
|
|
39
|
+
- [ ] 默认拒绝策略
|
|
40
|
+
|
|
41
|
+
### 5. 安全配置错误
|
|
42
|
+
- [ ] 移除默认账户
|
|
43
|
+
- [ ] 禁用不必要的功能
|
|
44
|
+
- [ ] 安全 HTTP 头
|
|
45
|
+
- [ ] 错误处理不泄露堆栈
|
|
46
|
+
|
|
47
|
+
### 6. 易受攻击的组件
|
|
48
|
+
- [ ] 定期更新依赖
|
|
49
|
+
- [ ] 移除未使用的依赖
|
|
50
|
+
- [ ] 监控 CVE
|
|
51
|
+
- [ ] 锁定版本号
|
|
52
|
+
|
|
53
|
+
### 7. 身份识别失败
|
|
54
|
+
- [ ] 多因素认证 (MFA)
|
|
55
|
+
- [ ] 密码强度策略
|
|
56
|
+
- [ ] 账户锁定机制
|
|
57
|
+
- [ ] 会话超时
|
|
58
|
+
|
|
59
|
+
### 8. 软件和数据完整性失败
|
|
60
|
+
- [ ] 代码签名
|
|
61
|
+
- [ ] CI/CD 安全
|
|
62
|
+
- [ ] 依赖验证
|
|
63
|
+
- [ ] 自动化测试
|
|
64
|
+
|
|
65
|
+
### 9. 安全日志不足
|
|
66
|
+
- [ ] 记录认证事件
|
|
67
|
+
- [ ] 监控异常行为
|
|
68
|
+
- [ ] 集中式日志
|
|
69
|
+
- [ ] 告警机制
|
|
70
|
+
|
|
71
|
+
### 10. 服务器端请求伪造 (SSRF)
|
|
72
|
+
- [ ] 验证用户提供的 URL
|
|
73
|
+
- [ ] 网络分段
|
|
74
|
+
- [ ] 白名单域名
|
|
75
|
+
- [ ] 禁用重定向
|
|
76
|
+
|
|
77
|
+
## 通用安全实践
|
|
78
|
+
|
|
79
|
+
### 认证
|
|
80
|
+
- [ ] JWT 过期时间 < 1 小时
|
|
81
|
+
- [ ] 刷新 token 机制
|
|
82
|
+
- [ ] HTTPS Only
|
|
83
|
+
- [ ] HttpOnly + Secure cookies
|
|
84
|
+
|
|
85
|
+
### 数据保护
|
|
86
|
+
- [ ] 敏感数据加密
|
|
87
|
+
- [ ] 不记录敏感信息
|
|
88
|
+
- [ ] 安全删除
|
|
89
|
+
- [ ] 数据最小化
|
|
90
|
+
|
|
91
|
+
### API 安全
|
|
92
|
+
- [ ] 速率限制
|
|
93
|
+
- [ ] API keys 轮换
|
|
94
|
+
- [ ] 输入验证
|
|
95
|
+
- [ ] CORS 配置
|
|
96
|
+
|
|
97
|
+
### 监控
|
|
98
|
+
- [ ] 实时告警
|
|
99
|
+
- [ ] 异常检测
|
|
100
|
+
- [ ] 性能监控
|
|
101
|
+
- [ ] 安全事件追踪
|
|
102
|
+
|
|
103
|
+
## 工具推荐
|
|
104
|
+
- OWASP ZAP
|
|
105
|
+
- Burp Suite
|
|
106
|
+
- SonarQube
|
|
107
|
+
- Snyk
|
|
108
|
+
- Dependabot
|