niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb3c503152efcdcb351864f538de5d1e57c981a2
lijiaoqiao/scripts/ci/m013_credential_scan.sh
Your Name e82bf0b25d feat(compliance): 验证CI脚本可执行性 
- m013_credential_scan.sh: 凭证泄露扫描
- m017_sbom.sh: SBOM生成
- m017_lockfile_diff.sh: Lockfile差异检查
- m017_compat_matrix.sh: 兼容性矩阵
- m017_risk_register.sh: 风险登记
- m017_dependency_audit.sh: 依赖审计
- compliance_gate.sh: 合规门禁主脚本

R-04 完成。
2026-04-03 11:57:23 +08:00

243 lines
5.8 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
# scripts/ci/m013_credential_scan.sh - M-013凭证泄露扫描脚本
# 功能:扫描响应体、日志、导出文件中的凭证泄露
# 输出JSON格式结果
set -e
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$SCRIPT_DIR/.." && pwd)}"
# 默认值
INPUT_FILE=""
INPUT_TYPE="auto" # auto, json, log, export, webhook
OUTPUT_FORMAT="text" # text, json
VERBOSE=false
# 使用说明
usage() {
cat << EOF
使用说明: $(basename "$0") [选项]
选项:
-i, --input <文件> 输入文件路径 (必需)
-t, --type <类型> 输入类型: auto, json, log, export, webhook (默认: auto)
-o, --output <格式> 输出格式: text, json (默认: text)
-v, --verbose 详细输出
-h, --help 显示帮助信息
示例:
$(basename "$0") --input response.json
$(basename "$0") --input logs/app.log --type log
退出码:
0 - 无凭证泄露
1 - 发现凭证泄露
2 - 错误
EOF
exit 0
}
# 解析命令行参数
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-i|--input)
INPUT_FILE="$2"
shift 2
;;
-t|--type)
INPUT_TYPE="$2"
shift 2
;;
-o|--output)
OUTPUT_FORMAT="$2"
shift 2
;;
-v|--verbose)
VERBOSE=true
shift
;;
-h|--help)
usage
;;
*)
echo "未知选项: $1"
usage
;;
esac
done
}
# 验证输入文件
validate_input() {
if [ -z "$INPUT_FILE" ]; then
echo "ERROR: 必须指定输入文件 (--input)" >&2
exit 2
fi
if [ ! -f "$INPUT_FILE" ]; then
if [ "$OUTPUT_FORMAT" = "json" ]; then
echo "{\"status\": \"error\", \"message\": \"file not found: $INPUT_FILE\"}" >&2
else
echo "ERROR: 文件不存在: $INPUT_FILE" >&2
fi
exit 2
fi
}
# 检测输入类型
detect_input_type() {
if [ "$INPUT_TYPE" != "auto" ]; then
return
fi
# 根据文件扩展名检测
case "$INPUT_FILE" in
*.json)
INPUT_TYPE="json"
;;
*.log)
INPUT_TYPE="log"
;;
*.csv)
INPUT_TYPE="export"
;;
*)
# 尝试检测是否为JSON
if head -c 10 "$INPUT_FILE" 2>/dev/null | grep -q '{'; then
INPUT_TYPE="json"
else
INPUT_TYPE="log"
fi
;;
esac
}
# 扫描JSON内容
scan_json() {
local content="$1"
if ! command -v python3 >/dev/null 2>&1; then
# 没有Python使用grep
local found=0
for pattern in \
"sk-[a-zA-Z0-9]\{20,\}" \
"sk-ant-[a-zA-Z0-9-]\{20,\}" \
"AKIA[0-9A-Z]\{16\}" \
"api[_-]key" \
"bearer" \
"secret" \
"token"; do
if grep -qE "$pattern" "$INPUT_FILE" 2>/dev/null; then
found=$((found + $(grep -cE "$pattern" "$INPUT_FILE" 2>/dev/null || echo 0)))
fi
done
echo "$found"
return
fi
# 使用Python进行JSON解析和凭证扫描
python3 << 'PYTHON_SCRIPT'
import sys
import re
import json
patterns = [
r"sk-[a-zA-Z0-9]{20,}",
r"sk-ant-[a-zA-Z0-9-]{20,}",
r"AKIA[0-9A-Z]{16}",
r"api_key",
r"bearer",
r"secret",
r"token",
]
try:
content = sys.stdin.read()
data = json.loads(content)
def search_strings(obj, path=""):
results = []
if isinstance(obj, str):
for pattern in patterns:
if re.search(pattern, obj, re.IGNORECASE):
results.append(pattern)
return results
elif isinstance(obj, dict):
result = []
for key, value in obj.items():
result.extend(search_strings(value, f"{path}.{key}"))
return result
elif isinstance(obj, list):
result = []
for i, item in enumerate(obj):
result.extend(search_strings(item, f"{path}[{i}]"))
return result
return []
all_matches = search_strings(data)
# 去重
unique_patterns = list(set(all_matches))
print(len(unique_patterns))
except Exception:
print("0")
PYTHON_SCRIPT
}
# 执行扫描
run_scan() {
local credentials_found
case "$INPUT_TYPE" in
json|webhook)
credentials_found=$(scan_json "$(cat "$INPUT_FILE")")
;;
log)
credentials_found=$(scan_json "$(cat "$INPUT_FILE")")
;;
export)
credentials_found=$(scan_json "$(cat "$INPUT_FILE")")
;;
*)
credentials_found=$(scan_json "$(cat "$INPUT_FILE")")
;;
esac
# 确保credentials_found是数字
credentials_found=${credentials_found:-0}
# 输出结果
if [ "$OUTPUT_FORMAT" = "json" ]; then
if [ "$credentials_found" -gt 0 ] 2>/dev/null; then
echo "{\"status\": \"failed\", \"credentials_found\": $credentials_found, \"rule_id\": \"CRED-EXPOSE-RESPONSE\"}"
return 1
else
echo "{\"status\": \"passed\", \"credentials_found\": 0}"
return 0
fi
else
if [ "$credentials_found" -gt 0 ] 2>/dev/null; then
echo "[M-013] FAILED: 发现 $credentials_found 个凭证泄露"
return 1
else
echo "[M-013] PASSED: 无凭证泄露"
return 0
fi
fi
}
# 主函数
main() {
parse_args "$@"
validate_input
detect_input_type
run_scan
}
# 运行
main "$@"
Reference in New Issue View Git Blame Copy Permalink