dash-devtools 1.0.0__py3-none-any.whl

dash_devtools/hooks/__init__.py

@@ -0,0 +1,250 @@
+"""
+Git Hooks 整合 v2.0
+
+提供 pre-commit 和 pre-push 安全檢查
+支援：
+- Vue 3 + Vite + DaisyUI 專案
+- Python FastAPI 專案 (Ruff 整合)
+- 純 Proxy 閘道專案
+"""
+
+from .pre_commit import run_pre_commit_check
+from .pre_push import run_pre_push_check
+
+__all__ = ['run_pre_commit_check', 'run_pre_push_check', 'install_hooks']
+
+
+# Pre-push hook 腳本 v2.0（支援 Vue 3 + Python）
+PRE_PUSH_HOOK = '''#!/bin/bash
+# DashAI DevTools Pre-push Hook v2.0
+# 支援：Vue 3 + Vite、Python FastAPI、純 Proxy 閘道
+
+PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "[i] DashAI DevTools Pre-push 檢查"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# 步驟 0: 檢查 Emoji
+echo "[>] 步驟 0/3: 檢查 Emoji..."
+EMOJI_FILES=$(git diff --cached --name-only --diff-filter=ACM | xargs grep -l '[\\x{1F300}-\\x{1F9FF}]' 2>/dev/null || true)
+if [ -n "$EMOJI_FILES" ]; then
+    echo "[x] 發現 Emoji，請移除："
+    echo "$EMOJI_FILES"
+    exit 1
+fi
+echo "[v] 無 Emoji"
+echo ""
+
+# 步驟 1: 掃描機敏資料
+echo "[>] 步驟 1/3: 掃描機敏資料..."
+dash scan "$PROJECT_ROOT"
+if [ $? -ne 0 ]; then
+    echo ""
+    echo "[x] 安全檢查失敗，推送已取消"
+    exit 1
+fi
+echo ""
+
+# 步驟 2: 驗證專案規範
+echo "[>] 步驟 2/3: 驗證專案..."
+
+# 偵測專案類型
+IS_FRONTEND=false
+IS_PYTHON=false
+IS_PROXY_ONLY=false
+
+if [ -f "$PROJECT_ROOT/package.json" ]; then
+    IS_FRONTEND=true
+
+    # 檢查是否為純 Proxy 閘道（無 api/ 目錄）
+    if [ -f "$PROJECT_ROOT/vercel.json" ] && [ ! -d "$PROJECT_ROOT/api" ]; then
+        if grep -q "https://" "$PROJECT_ROOT/vercel.json" 2>/dev/null; then
+            IS_PROXY_ONLY=true
+            echo "   偵測到：純 Proxy 閘道專案"
+        fi
+    fi
+fi
+
+if [ -f "$PROJECT_ROOT/requirements.txt" ] || [ -f "$PROJECT_ROOT/pyproject.toml" ]; then
+    IS_PYTHON=true
+    echo "   偵測到：Python 專案"
+fi
+
+# 執行驗證
+if [ "$IS_FRONTEND" = true ]; then
+    dash validate "$PROJECT_ROOT" --check smart 2>/dev/null || true
+fi
+
+# Python Ruff 檢查
+if [ "$IS_PYTHON" = true ]; then
+    if command -v ruff &> /dev/null; then
+        echo "   [ruff] 檢查程式碼..."
+        ruff check "$PROJECT_ROOT" --quiet || echo "   [!] Ruff 發現問題（警告）"
+        ruff format --check "$PROJECT_ROOT" --quiet 2>/dev/null || echo "   [!] 有檔案需要格式化"
+    else
+        echo "   (Ruff 未安裝，跳過 Python lint)"
+    fi
+fi
+
+if [ "$IS_FRONTEND" = false ] && [ "$IS_PYTHON" = false ]; then
+    echo "   (未偵測到前端或 Python 專案，跳過驗證)"
+fi
+echo ""
+
+# 步驟 3: 執行測試
+echo "[>] 步驟 3/4: 執行測試..."
+TEST_RESULT=0
+
+if [ "$IS_FRONTEND" = true ]; then
+    # 檢查是否有測試腳本
+    if grep -q '"test"' "$PROJECT_ROOT/package.json" 2>/dev/null; then
+        cd "$PROJECT_ROOT"
+
+        # 偵測測試框架並執行
+        if grep -q '"vitest"' package.json 2>/dev/null; then
+            echo "   [vitest] 執行測試..."
+            npx vitest run --passWithNoTests 2>&1 || TEST_RESULT=$?
+        elif grep -q '"jest"' package.json 2>/dev/null; then
+            echo "   [jest] 執行測試..."
+            npx jest --passWithNoTests 2>&1 || TEST_RESULT=$?
+        elif grep -q '"karma"' package.json 2>/dev/null || grep -q '"@angular-devkit"' package.json 2>/dev/null; then
+            echo "   [karma] 執行測試..."
+            npm test -- --no-watch --browsers=ChromeHeadless 2>&1 || TEST_RESULT=$?
+        else
+            echo "   (無已知測試框架，跳過)"
+        fi
+    else
+        echo "   (無測試腳本，跳過)"
+    fi
+fi
+
+if [ "$IS_PYTHON" = true ]; then
+    if [ -d "$PROJECT_ROOT/tests" ] || [ -f "$PROJECT_ROOT/pytest.ini" ] || [ -f "$PROJECT_ROOT/pyproject.toml" ]; then
+        if command -v pytest &> /dev/null; then
+            echo "   [pytest] 執行測試..."
+            cd "$PROJECT_ROOT"
+            python -m pytest -q --tb=short 2>&1 || TEST_RESULT=$?
+        else
+            echo "   (pytest 未安裝，跳過)"
+        fi
+    fi
+fi
+
+if [ $TEST_RESULT -ne 0 ]; then
+    if [ "$DASH_STRICT_TEST" = "1" ]; then
+        echo ""
+        echo "[x] 測試失敗，推送已取消 (嚴格模式)"
+        exit 1
+    else
+        echo ""
+        echo "[!] 測試失敗，但繼續推送 (警告模式)"
+        echo "    使用 --strict 安裝 hook 可強制測試通過"
+    fi
+fi
+echo ""
+
+# 步驟 4: E2E 煙霧測試 (如果已設定)
+if [ -n "$DASH_E2E_URL" ]; then
+    echo "[>] 步驟 4/4: E2E 煙霧測試..."
+    echo "   測試網址: $DASH_E2E_URL"
+
+    # 桌面版測試
+    dash e2e "$DASH_E2E_URL" --timeout 45000
+    E2E_RESULT=$?
+
+    # 手機版測試 (如果啟用)
+    if [ "$DASH_MOBILE_E2E" = "1" ] && [ $E2E_RESULT -eq 0 ]; then
+        echo ""
+        echo "   [手機版測試] 375x812"
+        dash e2e "$DASH_E2E_URL" --timeout 45000 --mobile
+        E2E_RESULT=$?
+    fi
+
+    if [ $E2E_RESULT -ne 0 ]; then
+        if [ "$DASH_STRICT_E2E" = "1" ]; then
+            echo ""
+            echo "[x] E2E 測試失敗，推送已取消"
+            exit 1
+        else
+            echo ""
+            echo "[!] E2E 測試失敗，但繼續推送 (警告模式)"
+            echo "    使用 --strict-e2e 安裝 hook 可強制 E2E 通過"
+        fi
+    fi
+    echo ""
+else
+    echo "[>] 步驟 4/4: E2E 煙霧測試..."
+    echo "   (未設定 E2E 網址，跳過)"
+    echo "   使用 --e2e <URL> 安裝 hook 可啟用 E2E 測試"
+    echo "   使用 --mobile-e2e 可同時檢查手機版水平溢出"
+    echo ""
+fi
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "[v] 所有檢查通過，繼續推送..."
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+'''
+
+# Pre-commit hook 腳本
+PRE_COMMIT_HOOK = '''#!/bin/bash
+# DashAI DevTools Pre-commit Hook
+PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+
+echo "掃描機敏資料..."
+dash scan "$PROJECT_ROOT"
+'''
+
+
+def install_hooks(project_path, strict_test: bool = False, e2e_url: str = None, strict_e2e: bool = False, mobile_e2e: bool = False):
+    """安裝 git hooks 到專案
+
+    Args:
+        project_path: 專案路徑
+        strict_test: 是否啟用嚴格測試模式（測試失敗會阻止推送）
+        e2e_url: E2E 測試網址（設定後每次推送會執行煙霧測試）
+        strict_e2e: 是否啟用嚴格 E2E 模式（E2E 失敗會阻止推送）
+        mobile_e2e: 是否同時執行手機版 E2E 測試（檢查水平溢出）
+    """
+    from pathlib import Path
+    import stat
+
+    hooks_dir = Path(project_path) / '.git' / 'hooks'
+    if not hooks_dir.exists():
+        return {'success': False, 'error': '.git/hooks 目錄不存在'}
+
+    # Pre-commit hook
+    pre_commit = hooks_dir / 'pre-commit'
+    pre_commit.write_text(PRE_COMMIT_HOOK, encoding='utf-8')
+    pre_commit.chmod(pre_commit.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+
+    # Pre-push hook
+    pre_push = hooks_dir / 'pre-push'
+    env_vars = []
+
+    # 如果啟用嚴格模式，加入環境變數
+    if strict_test:
+        env_vars.append('export DASH_STRICT_TEST=1')
+
+    # E2E 設定
+    if e2e_url:
+        env_vars.append(f'export DASH_E2E_URL="{e2e_url}"')
+        if strict_e2e:
+            env_vars.append('export DASH_STRICT_E2E=1')
+        if mobile_e2e:
+            env_vars.append('export DASH_MOBILE_E2E=1')
+
+    hook_content = '\n'.join(env_vars) + '\n' + PRE_PUSH_HOOK if env_vars else PRE_PUSH_HOOK
+
+    pre_push.write_text(hook_content, encoding='utf-8')
+    pre_push.chmod(pre_push.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+
+    return {
+        'success': True,
+        'strict_test': strict_test,
+        'e2e_url': e2e_url,
+        'strict_e2e': strict_e2e,
+        'mobile_e2e': mobile_e2e
+    }

dash_devtools/hooks/pre_commit.py

@@ -0,0 +1,161 @@
+"""
+Pre-commit 檢查
+"""
+
+import re
+from pathlib import Path
+from fnmatch import fnmatch
+
+
+# 敏感資料正則表達式
+# 注意：要避免假陽性，模式需要精確匹配硬編碼的值，而非變數賦值
+SENSITIVE_PATTERNS = [
+    # API Key: 必須有引號包住的值（排除函數呼叫）
+    (r'(?i)(api[_-]?key|apikey)\s*[=:]\s*["\'][a-zA-Z0-9_-]{20,}["\']', 'API Key'),
+    # Secret/Token: 特定命名且有引號包住的值
+    (r'(?i)(client_?secret|api_?secret|secret_?key)\s*[=:]\s*["\'][a-zA-Z0-9_-]{20,}["\']', 'Secret/Token'),
+    # 密碼: 需要引號且長度 >= 8
+    (r'(?i)password\s*[=:]\s*["\'][^"\']{8,}["\']', '密碼'),
+    # 特定格式的 Key (這些格式明確，不會有假陽性)
+    (r'sk-[a-zA-Z0-9]{48}', 'OpenAI API Key'),
+    (r'sk_live_[a-zA-Z0-9]{24,}', 'Stripe Live Key'),
+    (r'ghp_[a-zA-Z0-9]{36}', 'GitHub Token'),
+    (r'CLERK_SECRET_KEY\s*=\s*["\']?sk_[a-zA-Z0-9_-]{20,}', 'Clerk Secret Key'),
+    (r'-----BEGIN (RSA )?PRIVATE KEY-----', '私鑰'),
+    (r'AKIA[0-9A-Z]{16}', 'AWS Access Key'),
+    # Neon Database API Key (napi_ 開頭)
+    (r'napi_[a-zA-Z0-9]{60,}', 'Neon API Key'),
+    # PostgreSQL 連線字串 (含密碼)
+    (r'postgres(?:ql)?://[^:<]+:[^@<]+@[^\s"\']+', 'PostgreSQL 連線字串'),
+    # Neon PostgreSQL 密碼 (npg_ 開頭)
+    (r'npg_[a-zA-Z0-9]{10,}', 'Neon PostgreSQL 密碼'),
+]
+
+
+def parse_scanignore(project_path):
+    """解析 .scanignore 檔案
+
+    格式：
+    - # 開頭為註解
+    - 空行忽略
+    - path/to/file 或 path/to/dir/ - 排除檔案或目錄
+    - [pattern:名稱] path/glob - 只排除特定 pattern
+
+    Returns:
+        dict: {
+            'paths': [str, ...],                    # 全排除的路徑 glob
+            'pattern_paths': [(pattern_name, glob), ...]  # 特定 pattern 排除
+        }
+    """
+    scanignore_file = Path(project_path) / '.scanignore'
+    result = {'paths': [], 'pattern_paths': []}
+
+    if not scanignore_file.exists():
+        return result
+
+    try:
+        for line in scanignore_file.read_text(encoding='utf-8').splitlines():
+            line = line.strip()
+            if not line or line.startswith('#'):
+                continue
+
+            # [pattern:名稱] path/glob
+            pattern_match = re.match(r'^\[pattern:(.+?)\]\s+(.+)$', line)
+            if pattern_match:
+                pattern_name = pattern_match.group(1).strip()
+                path_glob = pattern_match.group(2).strip()
+                result['pattern_paths'].append((pattern_name, path_glob))
+            else:
+                result['paths'].append(line)
+    except Exception:
+        pass
+
+    return result
+
+
+def is_scan_ignored(rel_path, pattern_name, scanignore):
+    """檢查檔案是否在 .scanignore 中
+
+    Args:
+        rel_path: 相對於專案根目錄的路徑 (str)
+        pattern_name: 目前檢測的 pattern 名稱 (str)，None 表示檢查所有 pattern
+        scanignore: parse_scanignore() 的回傳值
+
+    Returns:
+        bool: True 表示應跳過
+    """
+    # 全排除路徑
+    for glob_pattern in scanignore['paths']:
+        # 目錄匹配 (pattern 以 / 結尾或不含 .)
+        if glob_pattern.endswith('/'):
+            if rel_path.startswith(glob_pattern) or rel_path.startswith(glob_pattern.rstrip('/')):
+                return True
+        # glob 匹配
+        if fnmatch(rel_path, glob_pattern):
+            return True
+        # 前綴匹配 (目錄)
+        if rel_path.startswith(glob_pattern.rstrip('/') + '/'):
+            return True
+
+    # 特定 pattern 排除
+    if pattern_name:
+        for p_name, p_glob in scanignore['pattern_paths']:
+            if p_name == pattern_name:
+                if fnmatch(rel_path, p_glob):
+                    return True
+                if p_glob.endswith('/') and rel_path.startswith(p_glob.rstrip('/') + '/'):
+                    return True
+                if rel_path.startswith(p_glob.rstrip('/') + '/'):
+                    return True
+
+    return False
+
+
+def run_pre_commit_check(project_path):
+    """執行 pre-commit 檢查"""
+    project = Path(project_path)
+    issues = []
+    scanignore = parse_scanignore(project_path)
+
+    # 檢查 staged 檔案
+    import subprocess
+    result = subprocess.run(
+        ['git', 'diff', '--cached', '--name-only'],
+        cwd=project,
+        capture_output=True,
+        text=True
+    )
+
+    staged_files = result.stdout.strip().split('\n') if result.stdout.strip() else []
+
+    for file_name in staged_files:
+        file_path = project / file_name
+        if not file_path.exists() or not file_path.is_file():
+            continue
+
+        # 跳過二進制檔案
+        if file_path.suffix in ['.png', '.jpg', '.gif', '.ico', '.pdf', '.zip']:
+            continue
+
+        # 跳過 .scanignore 全排除的檔案
+        if is_scan_ignored(file_name, None, scanignore):
+            continue
+
+        try:
+            content = file_path.read_text(encoding='utf-8')
+            for pattern, desc in SENSITIVE_PATTERNS:
+                # 跳過 .scanignore 特定 pattern 排除
+                if is_scan_ignored(file_name, desc, scanignore):
+                    continue
+                if re.search(pattern, content):
+                    issues.append({
+                        'file': file_name,
+                        'type': desc
+                    })
+        except Exception:
+            pass
+
+    return {
+        'passed': len(issues) == 0,
+        'issues': issues
+    }

dash_devtools/hooks/pre_push.py

@@ -0,0 +1,275 @@
+"""
+Pre-push 檢查
+
+支援功能：
+1. GitGuardian (ggshield) 機敏資料掃描
+2. 測試執行 (Vitest / Jest / Pytest)
+3. 強制門檻：測試失敗禁止推送
+
+使用 --strict 選項強制測試通過才能推送
+"""
+
+from .pre_commit import run_pre_commit_check, SENSITIVE_PATTERNS, parse_scanignore, is_scan_ignored
+import re
+import os
+import subprocess
+from pathlib import Path
+
+
+def run_tests(project_path, strict=False):
+    """
+    執行專案測試
+
+    Args:
+        project_path: 專案路徑
+        strict: 嚴格模式 - 測試失敗時禁止推送
+
+    Returns:
+        dict: {passed: bool, engine: str, message: str}
+    """
+    project = Path(project_path)
+    package_json = project / 'package.json'
+    pytest_ini = project / 'pytest.ini'
+    pyproject = project / 'pyproject.toml'
+
+    results = []
+
+    # 1. Node.js 專案測試 (Vitest / Jest / Karma)
+    if package_json.exists():
+        try:
+            import json
+            pkg = json.loads(package_json.read_text())
+            scripts = pkg.get('scripts', {})
+
+            if 'test' in scripts:
+                result = subprocess.run(
+                    ['npm', 'run', 'test'],
+                    capture_output=True,
+                    text=True,
+                    cwd=project_path,
+                    timeout=300  # 5 分鐘超時
+                )
+
+                test_engine = 'Vitest'
+                if 'jest' in scripts.get('test', ''):
+                    test_engine = 'Jest'
+                elif 'karma' in scripts.get('test', ''):
+                    test_engine = 'Karma'
+
+                results.append({
+                    'engine': test_engine,
+                    'passed': result.returncode == 0,
+                    'output': result.stdout + result.stderr
+                })
+        except subprocess.TimeoutExpired:
+            results.append({
+                'engine': 'npm test',
+                'passed': False,
+                'output': '測試執行超時 (5 分鐘)'
+            })
+        except Exception as e:
+            results.append({
+                'engine': 'npm test',
+                'passed': True,  # 無法執行時不阻擋
+                'output': f'跳過: {str(e)}'
+            })
+
+    # 2. Python 專案測試 (pytest)
+    if pytest_ini.exists() or (pyproject.exists() and '[tool.pytest' in pyproject.read_text()):
+        tests_dir = project / 'tests'
+        if tests_dir.exists():
+            try:
+                result = subprocess.run(
+                    ['python3', '-m', 'pytest', 'tests/', '-v', '--tb=short'],
+                    capture_output=True,
+                    text=True,
+                    cwd=project_path,
+                    timeout=300
+                )
+
+                results.append({
+                    'engine': 'Pytest',
+                    'passed': result.returncode == 0,
+                    'output': result.stdout + result.stderr
+                })
+            except subprocess.TimeoutExpired:
+                results.append({
+                    'engine': 'Pytest',
+                    'passed': False,
+                    'output': '測試執行超時 (5 分鐘)'
+                })
+            except Exception as e:
+                results.append({
+                    'engine': 'Pytest',
+                    'passed': True,
+                    'output': f'跳過: {str(e)}'
+                })
+
+    # 彙總結果
+    if not results:
+        return {
+            'passed': True,
+            'engine': 'None',
+            'message': '未偵測到測試框架'
+        }
+
+    all_passed = all(r['passed'] for r in results)
+    engines = [r['engine'] for r in results]
+
+    return {
+        'passed': all_passed or not strict,
+        'strict_failed': not all_passed and strict,
+        'engine': ', '.join(engines),
+        'message': '所有測試通過' if all_passed else '測試失敗',
+        'details': results
+    }
+
+
+def run_ggshield_scan(project_path):
+    """使用 GitGuardian ggshield 掃描"""
+    try:
+        # 檢查是否有 API Key
+        if not os.environ.get('GITGUARDIAN_API_KEY'):
+            return None
+
+        # 檢查 ggshield 是否安裝
+        result = subprocess.run(
+            ['ggshield', '--version'],
+            capture_output=True,
+            text=True
+        )
+        if result.returncode != 0:
+            return None
+
+        # 執行掃描 (忽略 .claude 本地設定和 node_modules)
+        result = subprocess.run(
+            ['ggshield', 'secret', 'scan', 'path', str(project_path),
+             '--recursive', '--exit-zero', '--json', '--yes',
+             '--ignore-path', '.claude/',
+             '--ignore-path', 'node_modules/',
+             '--ignore-path', '.env',
+             '--ignore-path', '.env.local'],
+            capture_output=True,
+            text=True,
+            cwd=project_path
+        )
+
+        # 解析結果
+        import json
+        try:
+            data = json.loads(result.stdout)
+            issues = []
+
+            # ggshield 輸出格式
+            if 'entities_with_incidents' in data:
+                for entity in data.get('entities_with_incidents', []):
+                    filename = entity.get('filename', 'unknown')
+                    for incident in entity.get('incidents', []):
+                        issues.append({
+                            'file': filename,
+                            'type': incident.get('type', 'Secret'),
+                            'count': 1
+                        })
+
+            return {
+                'passed': len(issues) == 0,
+                'issues': issues,
+                'engine': 'GitGuardian'
+            }
+        except json.JSONDecodeError:
+            return None
+
+    except Exception:
+        return None
+
+
+def run_pre_push_check(project_path):
+    """執行 pre-push 檢查 (掃描整個專案)"""
+    project = Path(project_path)
+
+    # 優先使用 GitGuardian
+    gg_result = run_ggshield_scan(project_path)
+    if gg_result is not None:
+        return gg_result
+
+    # 備援：使用本地正則表達式
+    issues = []
+
+    # 忽略的目錄和檔案
+    ignore_dirs = [
+        'node_modules', '.git', 'dist', 'build', '.next', '__pycache__',
+        'venv', '.venv', '.angular', '.cache', 'coverage'
+    ]
+    ignore_files = ['.env.example', '.env.sample', '.env.template']
+
+    # 讀取 .scanignore
+    scanignore = parse_scanignore(project_path)
+
+    # 讀取 .gitignore 檔案
+    gitignore_patterns = []
+    gitignore_file = project / '.gitignore'
+    if gitignore_file.exists():
+        try:
+            for line in gitignore_file.read_text().splitlines():
+                line = line.strip()
+                if line and not line.startswith('#'):
+                    gitignore_patterns.append(line)
+        except Exception:
+            pass
+
+    def is_gitignored(file_path):
+        """檢查檔案是否在 .gitignore 中"""
+        rel_path = str(file_path.relative_to(project))
+        file_name = file_path.name
+        for pattern in gitignore_patterns:
+            # 簡單匹配：完全匹配或 pattern 在路徑中
+            if pattern == file_name or pattern == rel_path:
+                return True
+            if pattern.startswith('*.') and file_name.endswith(pattern[1:]):
+                return True
+            if pattern.endswith('/') and pattern[:-1] in rel_path.split('/'):
+                return True
+            if pattern in rel_path:
+                return True
+        return False
+
+    # 掃描所有檔案（不含 .env，因為應該都在 .gitignore）
+    extensions = ['*.js', '*.ts', '*.jsx', '*.tsx', '*.py', '*.json', '*.yaml', '*.yml']
+
+    for ext in extensions:
+        for file_path in project.rglob(ext):
+            rel_path = str(file_path.relative_to(project))
+
+            # 跳過忽略的目錄
+            if any(ignore in str(file_path) for ignore in ignore_dirs):
+                continue
+            # 跳過範例檔案
+            if file_path.name in ignore_files:
+                continue
+            # 跳過 .gitignore 中的檔案
+            if is_gitignored(file_path):
+                continue
+            # 跳過 .scanignore 全排除的檔案
+            if is_scan_ignored(rel_path, None, scanignore):
+                continue
+
+            try:
+                content = file_path.read_text(encoding='utf-8')
+                for pattern, desc in SENSITIVE_PATTERNS:
+                    # 跳過 .scanignore 特定 pattern 排除
+                    if is_scan_ignored(rel_path, desc, scanignore):
+                        continue
+                    matches = re.findall(pattern, content)
+                    if matches:
+                        issues.append({
+                            'file': rel_path,
+                            'type': desc,
+                            'count': len(matches)
+                        })
+            except Exception:
+                pass
+
+    return {
+        'passed': len(issues) == 0,
+        'issues': issues
+    }