GitHub 安全功能
GitHub 提供了多种安全功能帮助保护代码和供应链安全,包括 Dependabot、Code Scanning、Secret Scanning 等。
Dependabot
Dependabot 自动检测依赖漏洞并创建更新 Pull Request。
启用 Dependabot
在仓库中创建 .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
配置选项
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "09:00"
timezone: "Asia/Shanghai"
commit-message:
prefix: "deps"
include: "scope"
labels:
- "dependencies"
reviewers:
- "username"
assignees:
- "username"
open-pull-requests-limit: 5
target-branch: "develop"
ignore:
- dependency-name: "express"
versions: ["4.x", "5.x"]
支持的包管理器
| 包管理器 | ecosystem 值 |
|---|---|
| npm | npm |
| Yarn | npm |
| pip | pip |
| Maven | maven |
| Gradle | gradle |
| Go modules | gomod |
| Cargo | cargo |
| Composer | composer |
| NuGet | nuget |
| Docker | docker |
多目录配置
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "npm"
directory: "/packages/frontend"
schedule:
interval: "weekly"
- package-ecosystem: "pip"
directory: "/backend"
schedule:
interval: "weekly"
Docker 镜像更新
updates:
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
GitHub Actions 更新
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Dependabot 安全更新
当检测到安全漏洞时,Dependabot 会自动创建安全更新 PR。
启用安全更新
- 进入仓库 Settings > Security > Code security and analysis
- 启用 "Dependabot security updates"
查看安全公告
在仓库的 Security > Advisories 页面查看安全公告。
Code Scanning
Code Scanning 使用 CodeQL 或第三方工具扫描代码漏洞。
使用 CodeQL
创建 .github/workflows/codeql.yml:
name: CodeQL
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 0'
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
language: [javascript, python]
steps:
- uses: actions/checkout@v4
- name: 初始化 CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: 自动构建
uses: github/codeql-action/autobuild@v3
- name: 执行分析
uses: github/codeql-action/analyze@v3
支持的语言
| 语言 | 语言标识 |
|---|---|
| JavaScript/TypeScript | javascript |
| Python | python |
| Java/Kotlin | java |
| C/C++ | c-cpp |
| C# | csharp |
| Go | go |
| Ruby | ruby |
| Swift | swift |
自定义配置
创建 .github/codeql/codeql-config.yml:
name: Custom CodeQL Configuration
paths:
- src
- lib
paths-ignore:
- '**/test/**'
- '**/tests/**'
queries:
- uses: security-and-quality
在工作流中引用:
- uses: github/codeql-action/init@v3
with:
languages: javascript
config-file: ./.github/codeql/codeql-config.yml
第三方扫描工具
可以使用其他静态分析工具:
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: 运行 Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/secrets
p/owasp-top-ten
Secret Scanning
Secret Scanning 自动检测代码中意外暴露的密钥。
启用 Secret Scanning
- 进入仓库 Settings > Security > Code security and analysis
- 启用 "Secret scanning"
支持的密钥类型
GitHub 支持检测多种密钥类型:
- AWS Access Keys
- GitHub Tokens
- Slack Tokens
- Stripe API Keys
- Google API Keys
- 等等...
Push Protection
Push Protection 在推送时阻止包含密钥的提交:
- 进入仓库 Settings > Security > Code security and analysis
- 启用 "Push protection"
处理检测到的密钥
当检测到密钥时:
- 在 Security > Secret scanning 查看警报
- 确认是否为真实密钥
- 如果是,立即撤销并重新生成
- 标记为已处理
Security Advisories
安全公告用于公开披露和跟踪安全漏洞。
创建安全公告
- 进入仓库 Security > Advisories
- 点击 "New draft security advisory"
- 填写漏洞详情
- 添加受影响版本
- 发布公告
私有协作
可以邀请安全研究人员私下协作修复漏洞:
- 创建草稿安全公告
- 邀请协作者
- 在私有分支修复
- 发布公告并公开修复
安全策略
创建 SECURITY.md 文件说明安全报告流程:
# 安全策略
## 支持版本
| 版本 | 支持状态 |
|------|----------|
| 2.x | 支持 |
| 1.x | 仅安全修复 |
| < 1.0| 不支持 |
## 报告漏洞
如果您发现安全漏洞,请发送邮件至 [email protected]。
我们承诺在 48 小时内回复,并在确认后 90 天内修复。
安全最佳实践
最小权限原则
permissions:
contents: read
使用 OIDC
使用 OpenID Connect 替代长期凭证:
- name: 配置 AWS 凭证
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/my-role
aws-region: us-east-1
保护 Secrets
- 使用 Repository Secrets 而非硬编码
- 使用 Environment Secrets 进行环境隔离
- 定期轮换 Secrets
- 使用
add-mask掩码敏感输出
steps:
- name: 掩码敏感信息
run: |
echo "::add-mask::$SECRET_VALUE"
依赖审查
使用 Dependency Review Action 审查依赖变更:
name: Dependency Review
on:
pull_request:
branches: [main]
permissions:
contents: read
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
分支保护
配置分支保护规则:
- 进入 Settings > Branches
- 添加分支保护规则
- 启用:
- Require status checks
- Require branches to be up to date
- Require signed commits
- Require linear history
安全工作流示例
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 0'
jobs:
codeql:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: javascript
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
dependency-review:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
snyk:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Snyk 扫描
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
- name: 上传结果
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif