name: “QE 安全合规” description: “针对 OWASP、SOC2、GDPR 及其他标准的安全审计、漏洞扫描和合规验证。” trust_tier: 3 validation: schema_path: schemas/output.json validator_path: scripts/validate-config.json eval_path: evals/qe-security-compliance.yaml
QE 安全合规
目的
指导使用 v3 的安全和合规测试能力,包括 SAST/DAST 扫描、漏洞检测、合规审计和安全门实施。
激活
- 当执行安全审计时
- 当扫描漏洞时
- 当验证合规时
- 当检查依赖时
- 当设置安全门时
快速开始
# 全面安全扫描
aqe security scan --scope src/ --checks all
# 漏洞检查
aqe security vulns --dependencies --severity critical,high
# 合规审计
aqe security compliance --standard soc2 --output report.html
# OWASP 检查
aqe security owasp --top-10 --scope src/
代理工作流
// 安全审计
Task("安全审计", `
执行全面安全审计:
- SAST 扫描代码漏洞
- 依赖漏洞检查
- 代码和配置中的秘密检测
- OWASP Top 10 验证
生成带有修复步骤的安全报告。
`, "qe-security-auditor")
// 合规验证
Task("SOC2 合规检查", `
验证 SOC2 合规要求:
- 访问控制验证
- 加密验证
- 审计日志检查
- 数据保留合规
生成合规证据报告。
`, "qe-compliance-checker")
安全操作
1. SAST 扫描
await securityScanner.staticAnalysis({
scope: 'src/**/*.ts',
checks: [
'sql-injection',
'xss',
'command-injection',
'path-traversal',
'insecure-crypto',
'hardcoded-secrets'
],
rules: 'owasp-top-10',
severity: ['critical', 'high', 'medium']
});
2. 依赖扫描
await securityScanner.dependencyCheck({
sources: ['package.json', 'package-lock.json'],
checks: {
knownVulnerabilities: true,
outdatedPackages: true,
licenseCompliance: true,
supplyChainRisk: true
},
severity: ['critical', 'high'],
autoFix: {
enabled: true,
dryRun: false
}
});
3. 合规审计
await complianceChecker.audit({
standards: ['SOC2', 'GDPR', 'HIPAA'],
scope: {
code: 'src/',
configs: 'config/',
infrastructure: 'terraform/'
},
output: {
gaps: true,
evidence: true,
recommendations: true
}
});
4. 秘密检测
await securityScanner.detectSecrets({
scope: ['.', 'config/', '.env*'],
patterns: [
'api-keys',
'passwords',
'tokens',
'private-keys',
'connection-strings'
],
exclude: ['*.test.ts', 'mocks/'],
action: {
onDetect: 'block',
notify: ['security-team']
}
});
OWASP Top 10 覆盖
owasp_2021:
A01_broken_access_control:
checks: [privilege-escalation, idor, cors-misconfiguration]
automated: true
A02_cryptographic_failures:
checks: [weak-encryption, missing-encryption, key-management]
automated: true
A03_injection:
checks: [sql, nosql, command, xss, ldap]
automated: true
A04_insecure_design:
checks: [threat-modeling, secure-patterns]
automated: partial
A05_security_misconfiguration:
checks: [default-credentials, unnecessary-features]
automated: true
A06_vulnerable_components:
checks: [outdated-deps, known-cves]
automated: true
A07_auth_failures:
checks: [weak-passwords, session-issues]
automated: true
A08_software_data_integrity:
checks: [insecure-deserialization, cicd-security]
automated: partial
A09_logging_monitoring:
checks: [insufficient-logging, missing-alerts]
automated: partial
A10_ssrf:
checks: [server-side-request-forgery]
automated: true
安全报告
interface SecurityReport {
summary: {
score: number; // 0-100
critical: number;
high: number;
medium: number;
low: number;
};
vulnerabilities: {
id: string;
type: string;
severity: 'critical' | 'high' | 'medium' | 'low';
location: string;
description: string;
remediation: string;
cwe: string;
owasp: string;
}[];
dependencies: {
vulnerable: number;
outdated: number;
details: DependencyVuln[];
};
compliance: {
standard: string;
status: 'compliant' | 'non-compliant' | 'partial';
gaps: ComplianceGap[];
evidence: Evidence[];
}[];
secrets: {
detected: number;
locations: SecretLocation[];
};
}
安全门
security_gates:
block_merge:
- critical_vulnerabilities > 0
- high_vulnerabilities > 2
- secrets_detected > 0
- compliance_failures > 0
warn:
- medium_vulnerabilities > 5
- outdated_dependencies > 10
enforce:
- signed_commits: required
- code_review: required
- security_scan: required
合规标准
| 标准 | 范围 | 自动检查 |
|---|---|---|
| SOC2 | 安全控制 | 部分 |
| GDPR | 数据隐私 | 部分 |
| HIPAA | 健康数据 | 部分 |
| PCI-DSS | 支付数据 | 是 |
| ISO 27001 | 信息安全 | 部分 |
协调
主要代理: qe-security-auditor, qe-security-scanner, qe-compliance-checker 协调器: qe-security-coordinator 相关技能: qe-quality-assessment, qe-contract-testing