hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

kb: expand authorized lab coverage and intel automation

浏览代码
这个提交包含在:
hao
2026-03-16 22:04:51 -07:00
父节点 cda31e86c7
当前提交 d0120fbf10
修改 592 个文件,包含 29025 行新增267 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

22
08-threat-intel/config-examples/README.md 普通文件
查看文件

@@ -0,0 +1,22 @@
# 配置样例
> `LAB ONLY` | `非生产默认策略`
本目录保存“授权实验和验证用配置案例”,分为两类:
- GitHub / 代码仓依赖与漏洞情报配置
- 授权验证脚本与命令样例
## 样例列表
- [dependabot.yml](/Users/x/websafe/08-threat-intel/config-examples/github/.github/dependabot.yml)
- [dependency-review.yml](/Users/x/websafe/08-threat-intel/config-examples/github/.github/workflows/dependency-review.yml)
- [codeql-javascript.yml](/Users/x/websafe/08-threat-intel/config-examples/github/.github/workflows/codeql-javascript.yml)
- [trivy-fs.yml](/Users/x/websafe/08-threat-intel/config-examples/github/.github/workflows/trivy-fs.yml)
- [osv-sbom.yml](/Users/x/websafe/08-threat-intel/config-examples/github/.github/workflows/osv-sbom.yml)
- [authorized-verification-playbook.md](/Users/x/websafe/08-threat-intel/config-examples/authorized-verification-playbook.md)
## 使用原则
- 这些文件展示“如何追踪、如何观察、如何验证”,不是生产阻断策略的直接模板。
- 真正上生产前,应按组织流程做权限、误报、变更和阻断策略评估。

51
08-threat-intel/config-examples/authorized-verification-playbook.md 普通文件
查看文件

@@ -0,0 +1,51 @@
# 授权验证样例
> `LAB ONLY` | `AUTHORIZED TARGETS ONLY`
以下命令仅用于自有资产、测试环境或已明确授权的目标。
## HTTP 注入最小化验证
```bash
python3 /Users/x/websafe/01-sql-injection/tools/sqli-scanner.py \
-u "https://owned-lab.example.test/search?id=1"
```
## XSS 上下文与回显验证
```bash
python3 /Users/x/websafe/02-xss/tools/xss-fuzzer.py \
-u "https://owned-lab.example.test/search?q=test"
```
## TLS 与头部检查
```bash
python3 /Users/x/websafe/04-server-security/tls/tools/tls-scanner.py \
-u https://owned-lab.example.test
```
## 最小端口暴露验证
```bash
python3 /Users/x/websafe/04-server-security/scanning/tools/port-scanner.py \
-H owned-lab.example.test --top-ports 20
```
## 同 IP / 同证书关联分析
```bash
python3 /Users/x/websafe/04-server-security/infrastructure/tools/site-scope-mapper.py \
--target owned-lab.example.test --ack-authorized
```
## 手工检查 CSP / 响应头
```bash
curl -I https://owned-lab.example.test
```
## 记录要求
- 每次公网验证都应回填 [测试记录模板](/Users/x/websafe/09-scope-and-targeting/test-record-template.md)
- 每个目标都应登记在 [资产清单模板](/Users/x/websafe/09-scope-and-targeting/asset-inventory-template.md)

37
08-threat-intel/config-examples/github/.github/dependabot.yml vendored 普通文件
查看文件

@@ -0,0 +1,37 @@
# LAB ONLY
# 用途: 依赖告警与升级建议,用于研究仓库和测试资产
# 目标范围: 自有代码仓、自有测试项目
# 风险: 可能产生大量升级 PR,需要人工分流
# 不适用: 未经评估直接套到生产阻断流程
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "04:00"
open-pull-requests-limit: 10
labels:
- "security"
- "dependencies"
- "lab-review"
groups:
frontend-runtime:
patterns:
- "react*"
- "next"
- "vue*"
- "nuxt*"
- "vite*"
http-clients:
patterns:
- "axios"
- "undici"
- "node-fetch*"
- package-ecosystem: "docker"
directory: "/00-environments"
schedule:
interval: "weekly"
day: "wednesday"
time: "04:30"

41
08-threat-intel/config-examples/github/.github/workflows/codeql-javascript.yml vendored 普通文件
查看文件

@@ -0,0 +1,41 @@
# LAB ONLY
# 用途: JavaScript / TypeScript 静态安全分析
# 目标范围: 自有代码仓、自有测试项目
# 风险: 可能出现需要人工甄别的误报
# 不适用: 未经规则调优直接作为生产发布门禁
name: codeql-javascript
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
jobs:
analyze:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language:
- javascript-typescript
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Analyze
uses: github/codeql-action/analyze@v3

25
08-threat-intel/config-examples/github/.github/workflows/dependency-review.yml vendored 普通文件
查看文件

@@ -0,0 +1,25 @@
# LAB ONLY
# 用途: PR 依赖风险观察
# 目标范围: 自有研究仓库、自有测试项目
# 风险: 高危依赖会导致 PR 失败
# 不适用: 未经调优直接作为生产阻断策略
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Review dependencies
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
comment-summary-in-pr: always

41
08-threat-intel/config-examples/github/.github/workflows/osv-sbom.yml vendored 普通文件
查看文件

@@ -0,0 +1,41 @@
# LAB ONLY
# 用途: 生成 SBOM 并用 OSV 扫描依赖漏洞
# 目标范围: 自有代码仓和实验项目
# 风险: 需要下载额外工具,运行时间较长
# 不适用: 未经缓存和版本固定直接作为生产门禁
name: osv-sbom
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
osv-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
- name: Install Syft and OSV-Scanner
run: |
go install github.com/anchore/syft/cmd/syft@latest
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
- name: Generate SBOM
run: |
syft dir:. -o cyclonedx-json > sbom.json
- name: Scan SBOM with OSV
run: |
osv-scanner scan --sbom=sbom.json

34
08-threat-intel/config-examples/github/.github/workflows/trivy-fs.yml vendored 普通文件
查看文件

@@ -0,0 +1,34 @@
# LAB ONLY
# 用途: 文件系统、配置与秘密扫描
# 目标范围: 自有代码仓和实验目录
# 风险: 可能报告历史样例、测试密钥或教学用漏洞文件
# 不适用: 未经白名单梳理直接作为生产阻断策略
name: trivy-fs
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
trivy-fs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan repository
run: |
trivy fs \
--scanners vuln,secret,config \
--severity HIGH,CRITICAL \
--exit-code 0 \
.