#!/bin/bash # 本地安全扫描脚本 (Linux/macOS) # 用法: ./scripts/security-scan.sh # 功能: npm audit + Trivy 文件系统扫描,输出彩色报告 # 退出码: 0=无高危漏洞, 1=存在高危漏洞 set -uo pipefail # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' NC='\033[0m' # No Color PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" cd "$PROJECT_ROOT" HAS_HIGH=0 print_header() { echo -e "${CYAN}================================================${NC}" echo -e "${CYAN} $1${NC}" echo -e "${CYAN}================================================${NC}" } print_ok() { echo -e "${GREEN}[PASS]${NC} $1"; } print_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } print_err() { echo -e "${RED}[FAIL]${NC} $1"; HAS_HIGH=1; } print_info() { echo -e "${BLUE}[INFO]${NC} $1"; } # 检查命令是否存在 command_exists() { command -v "$1" >/dev/null 2>&1 } print_header "本地安全扫描" print_info "项目目录: $PROJECT_ROOT" echo "" # ------------------------------------------------ # 1. npm audit # ------------------------------------------------ print_header "1/2 npm audit (依赖审计)" if ! command_exists npm; then print_err "未检测到 npm,请先安装 Node.js" exit 1 fi npm audit --json > /tmp/audit-report.json 2>/dev/null || true if [ -f /tmp/audit-report.json ]; then # 提取漏洞计数(需要 jq) if command_exists jq; then CRITICAL=$(jq -r '.metadata.vulnerabilities.critical // 0' /tmp/audit-report.json) HIGH=$(jq -r '.metadata.vulnerabilities.high // 0' /tmp/audit-report.json) MODERATE=$(jq -r '.metadata.vulnerabilities.moderate // 0' /tmp/audit-report.json) LOW=$(jq -r '.metadata.vulnerabilities.low // 0' /tmp/audit-report.json) echo -e " critical: ${RED}${CRITICAL}${NC} high: ${RED}${HIGH}${NC} moderate: ${YELLOW}${MODERATE}${NC} low: ${GREEN}${LOW}${NC}" if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then print_err "npm audit 发现 critical/high 漏洞" else print_ok "npm audit 无 critical/high 漏洞" fi else print_warn "未安装 jq,跳过漏洞计数,显示原始报告" npm audit --audit-level=moderate || print_warn "npm audit 发现漏洞" fi # 保存报告到项目根目录 cp /tmp/audit-report.json "$PROJECT_ROOT/audit-report.json" print_info "报告已保存: audit-report.json" else print_warn "npm audit 未生成报告" fi echo "" # ------------------------------------------------ # 2. Trivy 文件系统扫描 # ------------------------------------------------ print_header "2/2 Trivy FS Scan (文件系统扫描)" if ! command_exists trivy; then print_warn "未检测到 trivy,跳过文件系统扫描" print_info "安装 Trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/" else TRIVY_REPORT="$PROJECT_ROOT/trivy-fs-report.json" if trivy fs --format json --output "$TRIVY_REPORT" --exit-code 0 . >/dev/null 2>&1; then print_ok "Trivy 扫描完成" else print_warn "Trivy 扫描返回非零状态(可能存在漏洞)" fi if [ -f "$TRIVY_REPORT" ] && command_exists jq; then TOTAL=$(jq -r '[.Results[]?.Vulnerabilities[]?] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0") CRITICAL=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0") HIGH=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0") MEDIUM=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="MEDIUM")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0") LOW=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity=="LOW")] | length' "$TRIVY_REPORT" 2>/dev/null || echo "0") echo -e " 总计: ${TOTAL} critical: ${RED}${CRITICAL}${NC} high: ${RED}${HIGH}${NC} medium: ${YELLOW}${MEDIUM}${NC} low: ${GREEN}${LOW}${NC}" if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then print_err "Trivy 发现 critical/high 漏洞" else print_ok "Trivy 无 critical/high 漏洞" fi print_info "报告已保存: trivy-fs-report.json" fi # 输出表格视图 echo "" print_info "Trivy 表格视图:" trivy fs --format table --exit-code 0 . || true fi echo "" # ------------------------------------------------ # 汇总 # ------------------------------------------------ print_header "扫描汇总" if [ "$HAS_HIGH" -eq 0 ]; then print_ok "未发现高危漏洞 (exit 0)" exit 0 else print_err "发现高危漏洞,请尽快处理 (exit 1)" echo -e " ${BLUE}SLA:${NC} critical 24h / high 7d / medium 30d / low 90d" exit 1 fi