hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

kb: expand authorized lab coverage and intel automation

浏览代码
这个提交包含在:
hao
2026-03-16 22:04:51 -07:00
父节点 cda31e86c7
当前提交 d0120fbf10
修改 592 个文件,包含 29025 行新增267 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

37
08-threat-intel/config-examples/github/.github/dependabot.yml vendored 普通文件
查看文件

@@ -0,0 +1,37 @@
# LAB ONLY
# 用途: 依赖告警与升级建议,用于研究仓库和测试资产
# 目标范围: 自有代码仓、自有测试项目
# 风险: 可能产生大量升级 PR,需要人工分流
# 不适用: 未经评估直接套到生产阻断流程
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "04:00"
open-pull-requests-limit: 10
labels:
- "security"
- "dependencies"
- "lab-review"
groups:
frontend-runtime:
patterns:
- "react*"
- "next"
- "vue*"
- "nuxt*"
- "vite*"
http-clients:
patterns:
- "axios"
- "undici"
- "node-fetch*"
- package-ecosystem: "docker"
directory: "/00-environments"
schedule:
interval: "weekly"
day: "wednesday"
time: "04:30"

41
08-threat-intel/config-examples/github/.github/workflows/codeql-javascript.yml vendored 普通文件
查看文件

@@ -0,0 +1,41 @@
# LAB ONLY
# 用途: JavaScript / TypeScript 静态安全分析
# 目标范围: 自有代码仓、自有测试项目
# 风险: 可能出现需要人工甄别的误报
# 不适用: 未经规则调优直接作为生产发布门禁
name: codeql-javascript
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
jobs:
analyze:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language:
- javascript-typescript
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Analyze
uses: github/codeql-action/analyze@v3

25
08-threat-intel/config-examples/github/.github/workflows/dependency-review.yml vendored 普通文件
查看文件

@@ -0,0 +1,25 @@
# LAB ONLY
# 用途: PR 依赖风险观察
# 目标范围: 自有研究仓库、自有测试项目
# 风险: 高危依赖会导致 PR 失败
# 不适用: 未经调优直接作为生产阻断策略
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Review dependencies
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
comment-summary-in-pr: always

41
08-threat-intel/config-examples/github/.github/workflows/osv-sbom.yml vendored 普通文件
查看文件

@@ -0,0 +1,41 @@
# LAB ONLY
# 用途: 生成 SBOM 并用 OSV 扫描依赖漏洞
# 目标范围: 自有代码仓和实验项目
# 风险: 需要下载额外工具,运行时间较长
# 不适用: 未经缓存和版本固定直接作为生产门禁
name: osv-sbom
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
osv-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
- name: Install Syft and OSV-Scanner
run: |
go install github.com/anchore/syft/cmd/syft@latest
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
- name: Generate SBOM
run: |
syft dir:. -o cyclonedx-json > sbom.json
- name: Scan SBOM with OSV
run: |
osv-scanner scan --sbom=sbom.json

34
08-threat-intel/config-examples/github/.github/workflows/trivy-fs.yml vendored 普通文件
查看文件

@@ -0,0 +1,34 @@
# LAB ONLY
# 用途: 文件系统、配置与秘密扫描
# 目标范围: 自有代码仓和实验目录
# 风险: 可能报告历史样例、测试密钥或教学用漏洞文件
# 不适用: 未经白名单梳理直接作为生产阻断策略
name: trivy-fs
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
trivy-fs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan repository
run: |
trivy fs \
--scanners vuln,secret,config \
--severity HIGH,CRITICAL \
--exit-code 0 \
.