← 返回
未分类

security-plus

Enhanced security with OWASP Top 10, dependency scanning, SAST/DAST, secrets detection, compliance checks, and security hardening guides.
Enhanced security with OWASP Top 10, dependency scanning, SAST/DAST, secrets detection, compliance checks, and security hardening guides.
yjkj999999
未分类 community v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 14
下载
💾 0
安装
1
版本
#latest

概述

Security Plus

Enhanced security with OWASP Top 10, vulnerability scanning, and compliance checks.

Features

  • OWASP Top 10: Complete coverage of web application risks
  • Vulnerability Scanning: SAST, DAST, dependency scanning
  • Secrets Detection: Prevent credential leaks
  • Compliance Checks: GDPR, HIPAA, SOC2 basics
  • Security Hardening: Server, application, database hardening

Quick Reference

RiskCategoryMitigation
----------------------------
InjectionA03:2021Parameterized queries
Broken AuthA07:2021MFA, secure session
XSSA03:2021Input validation, output encoding
SSRFA10:2021Input validation, allowlists
Security MisconfigA05:2021Secure defaults, hardening

OWASP Top 10 (2021)

A01: Broken Access Control

# Prevention
- Deny by default
- Implement RBAC/ABAC
- Validate permissions server-side
- Log access control failures
- Rate limit API access

A02: Cryptographic Failures

# Prevention
- Use strong algorithms (AES-256, RSA-2048+)
- Never store passwords in plaintext
- Use bcrypt/argon2 for password hashing
- Encrypt data at rest and in transit
- Manage keys properly

A03: Injection

# Prevention
- Use parameterized queries
- Validate and sanitize input
- Use ORM/ODM libraries
- Escape output
- Use LIMIT and other SQL controls

A04: Insecure Design

# Prevention
- Threat modeling
- Secure design patterns
- Reference architecture
- Security requirements
- Secure development lifecycle

A05: Security Misconfiguration

# Prevention
- Secure defaults
- Minimal installation
- Review configurations
- Automated verification
- Hardening guides

A06: Vulnerable Components

# Prevention
- Dependency scanning
- Automated updates
- Software composition analysis
- Monitor CVEs
- Remove unused dependencies

A07: Authentication Failures

# Prevention
- Multi-factor authentication
- Secure password storage
- Rate limiting
- Session management
- Account lockout

A08: Software and Data Integrity

# Prevention
- Digital signatures
- CI/CD pipeline security
- Dependency verification
- Code review
- Integrity checks

A09: Security Logging Failures

# Prevention
- Log security events
- Centralized logging
- Alert on suspicious activity
- Log integrity protection
- Incident response plan

A10: Server-Side Request Forgery

# Prevention
- Input validation
- URL allowlists
- Disable HTTP redirections
- Segment networks
- Use metadata endpoints

Vulnerability Scanning

SAST (Static Application Security Testing)

# SonarQube
sonar-scanner

# Semgrep
semgrep scan --config=auto

# Bandit (Python)
bandit -r src/

DAST (Dynamic Application Security Testing)

# OWASP ZAP
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com

# Nikto
nikto -h https://example.com

Dependency Scanning

# npm audit
npm audit
npm audit fix

# Snyk
npx snyk test
npx snyk monitor

# Safety (Python)
safety check

# Bundler-audit (Ruby)
bundle-audit check --update

Secrets Detection

Pre-commit Hooks

# Install pre-commit
pip install pre-commit

# Add to .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

Scanning Tools

# detect-secrets
detect-secrets scan

# gitleaks
gitleaks detect --source . --verbose

# truffleHog
trufflehog git file://. --only-verified

Secret Patterns

# Common patterns to detect
- AWS keys: AKIA[0-9A-Z]{16}
- GitHub tokens: gh[pousr]_[A-Za-z0-9]{36}
- Private keys: -----BEGIN.*PRIVATE KEY-----
- API keys: [a-zA-Z0-9]{32,}
- Passwords: password\s*[:=]\s*[^\s]+

Compliance Checks

GDPR

# Requirements
- Data minimization
- Purpose limitation
- Storage limitation
- Right to erasure
- Data portability
- Consent management

HIPAA

# Requirements
- Access controls
- Audit controls
- Integrity controls
- Transmission security
- Encryption at rest
- Business associate agreements

SOC2

# Trust Service Criteria
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy

Security Hardening

Server Hardening

# SSH
- Disable root login
- Use key-based auth
- Change default port
- Limit SSH users

# Firewall
- Allow only necessary ports
- Rate limit connections
- Block known malicious IPs

# Updates
- Enable automatic security updates
- Remove unused packages
- Disable unnecessary services

Application Hardening

# Headers
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security

# Cookies
- Secure flag
- HttpOnly flag
- SameSite attribute
- Short expiration

# Input Validation
- Whitelist validation
- Length limits
- Type checking
- Sanitization

Database Hardening

# Access
- Least privilege
- Separate accounts
- Strong passwords
- Network restrictions

# Configuration
- Disable remote access
- Enable encryption
- Audit logging
- Regular backups

# Queries
- Parameterized queries
- Input validation
- Output encoding

Security Checklist

Development

  • [ ] Security requirements defined
  • [ ] Threat modeling completed
  • [ ] Secure coding guidelines followed
  • [ ] Code review for security
  • [ ] Dependencies scanned

Deployment

  • [ ] Secure configuration
  • [ ] Secrets in vault
  • [ ] HTTPS enabled
  • [ ] Security headers set
  • [ ] Logging configured

Operations

  • [ ] Monitoring enabled
  • [ ] Alerts configured
  • [ ] Incident response plan
  • [ ] Regular audits
  • [ ] Backup testing

Tools Reference

CategoryToolPurpose
-------------------------
SASTSonarQube, SemgrepCode analysis
DASTOWASP ZAP, NiktoRuntime testing
DependenciesSnyk, npm auditVulnerability scanning
Secretsdetect-secrets, gitleaksCredential detection
ContainerTrivy, ClairImage scanning
InfrastructureCheckov, tfsecIaC scanning

Best Practices

  1. Shift left - Security early in development
  2. Defense in depth - Multiple security layers
  3. Least privilege - Minimal permissions
  4. Secure defaults - Out-of-box security
  5. Fail securely - Graceful degradation
  6. Don't trust input - Validate everything
  7. Log security events - Audit trail
  8. Regular updates - Patch vulnerabilities

版本历史

共 1 个版本

  • v1.0.0 从ClawHub迁移发布 当前
    2026-06-07 12:35 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

design-media

agnes-image-gen

user_15292d5a
使用 Agnes AI 的图片生成模型生成图片,支持文生图(agnes-image-2.1-flash)和图生图(agnes-image-2.0-flash)。支持自定义 API Key,用户可使用自己的 Agnes Key。优化重点:降低
★ 1 📥 239
it-ops-security

Free Ride - Unlimited free AI

shaivpidadi
管理OpenClaw的OpenRouter免费AI模型,自动按质量排名模型,配置速率限制备用方案,并更新opencla...
★ 472 📥 78,664
it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,029