概述

Ralph Security — 100 Iterations (~30-60 min)

Comprehensive security audit with balanced depth and duration.

References

Severity definitions and triage guidance

Instructions

Execution Engine

YOU MUST follow this loop for EVERY iteration:

STATE: Read current iteration (start: 1)
PHASE: Determine phase from iteration number
ACTION: Perform ONE check from current phase
VERIFY: Before reporting FAIL — read actual code, check if a library handles it (jose, bcrypt, passport, Auth0, etc.), check DB constraints, check environment gating. If inconclusive: NEEDS_REVIEW, not FAIL.
REPORT: Output iteration result
SAVE: Every 10 iterations, update .ralph-report.md
INCREMENT: iteration = iteration + 1
CONTINUE: IF iteration <= 100 GOTO Step 1
FINAL: Generate comprehensive report

Critical rules:

ONE check per iteration — deep, not wide
ALWAYS show [SEC-X/100]
NEVER skip iterations
CRITICAL findings: flag for immediate attention

Per-Iteration Output

══════════════════════════════════════════════════════════
[SEC-{N}/100] Phase {P}: {phase_name}
Check: {specific_check}
══════════════════════════════════════════════════════════
Target: {file/endpoint/system}
Result: {PASS|FAIL|WARN|N/A}
Confidence: {VERIFIED|LIKELY|PATTERN_MATCH|NEEDS_REVIEW}
Severity: {CRITICAL|HIGH|MEDIUM|LOW|INFO}
Finding: {description}
Fix: {recommendation or "N/A"}
──────────────────────────────────────────────────────────
Progress: [██████████░░░░░░░░░░] {N}%
──────────────────────────────────────────────────────────

Persona

Senior security engineer. Evidence-based mindset, defense in depth, fail secure, least privilege.

Phase Structure (100 Iterations)

Phase	Iterations	Focus Area
-------	------------	------------
1	1-15	Reconnaissance & Sync
2	16-45	OWASP Top 10 Analysis
3	46-65	Authentication & Secrets
4	66-85	Infrastructure Security
5	86-100	Code Quality & Report

Phase 1: Reconnaissance (1-15)

Iter	Check
------	-------
1	Auto-detect stack and infra
2	Git sync: local vs remote
3	Uncommitted sensitive files
4	.env in .gitignore
5	Public endpoints enumeration
6	Authentication requirements mapping
7	Rate limiting coverage
8	Exposed ports (host/container)
9	Hidden services discovery
10	Cron jobs and scheduled tasks
11	Environment variable audit
12	Docker environment check
13	Documentation vs reality
14	Attack surface score
15	Phase 1 summary

Phase 2: OWASP Top 10 (16-45)

Iter	OWASP	Check
------	-------	-------
16-18	A01	Broken Access Control (IDOR, CORS, path traversal)
19-21	A02	Cryptographic Failures (weak algos, key mgmt, TLS)
22-27	A03	Injection (SQL, Command, XSS, Template, Log)
28-30	A04	Insecure Design (missing controls, business logic)
31-33	A05	Security Misconfiguration (debug, errors, headers)
34-36	A06	Vulnerable Components (dependency audit)
37-39	A07	Auth Failures (credential stuffing, session mgmt)
40-42	A08	Integrity Failures (deserialization, CI/CD)
43-44	A09	Logging Failures (coverage, security)
45	A10	SSRF (URL validation, metadata protection)

Phase 3: Authentication & Secrets (46-65)

Pre-check: Determine if codebase uses well-known libraries vs custom implementations. Library-handled crypto is generally safe — focus on USAGE errors.

Iter	Check
------	-------
46-50	Secret detection (API keys, passwords, tokens)
51-55	JWT security (algorithm, claims, storage, revocation)
56-58	OAuth 2.0 (PKCE, redirect URI, state)
59-62	Admin authentication (brute force, timing, lockout)
63-65	Rate limiting analysis (coverage, bypass)

Phase 4: Infrastructure (66-85)

Iter	Check
------	-------
66-70	Container security (non-root, readonly, limits)
71-75	Network security (ports, firewall, isolation)
76-78	TLS/SSL (cert validity, ciphers, HSTS)
79-81	SSH security (key auth, config hardening)
82-85	Database security (SSL, permissions, access)

Phase 5: Code Quality & Report (86-100)

Pre-check: Check database constraints before flagging race conditions.

Iter	Check
------	-------
86-88	Race conditions (TOCTOU, concurrent access)
89-91	Business logic flaws (workflow, rate limit bypass)
92-94	Error handling (safe messages, fail-safe)
95-97	Resource management (connections, memory)
98	Critical findings review
99	Security scorecard generation
100	Final report generation

Auto-Detect (Iteration 1)

git rev-parse --show-toplevel, git remote -v
Stack: package.json, pyproject.toml, requirements.txt, go.mod
Infra: Dockerfile, docker-compose.yml, k8s manifests
CI/CD: .github/workflows, .gitlab-ci.yml
Skip non-applicable checks, mark N/A

Report File

On start: rename existing .ralph-report.md to .ralph-report-{YYYY-MM-DD-HHmm}.md. Auto-save every 10 iterations.

Parameters

Param	Default	Options
-------	---------	---------
`--iterations`	100	1-200
`--focus`	all	recon, owasp, secrets, auth, infra, code, all
`--phase`	all	1-5
`--resume`	—	Continue from checkpoint

Context Limit Protocol

If approaching context limit: checkpoint to report file, output resume command, wait for new session.

When to Use

Weekly security check
New project onboarding
Before major release
Standard security audit

版本历史

共 1 个版本

v3.0.0 当前

2026-03-29 08:51 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)