huntridge-labs/argus

   []( ## 目录 - [快速入门](#quick-start) - [支持的扫描器](#supported-scanners) - [特性](#features) - [GitHub Enterprise Server (GHES)](#github-enterprise-server-ghes) - [文档](#documentation) - [用法示例](#usage-examples) - [配置](#configuration) - [贡献](#contributing) ## 快速入门 创建 `.github/workflows/security.yml`： ``` name: Security Scan on: [pull_request, push] jobs: security: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: all enable_code_security: true post_pr_comment: true fail_on_severity: high secrets: inherit ``` ## 支持的扫描器 | 类别 | 扫描器 | 描述 | |----------|---------|-------------| | **SAST** | CodeQL | GitHub 语义代码分析 | | | Gitleaks | Git 历史中的 secret 检测 | | | Bandit | Python 安全 linter | | | OpenGrep | 快速的多语言静态分析 | | **容器** | Trivy Container | 综合漏洞扫描器 | | | Grype | 快速、准确的 CVE 检测 | | | Syft | 软件物料清单 (SBOM) | | **基础设施** | Trivy IaC | 基础设施即代码扫描器 | | | Checkov | 针对云配置的策略即代码 | | **恶意软件** | ClamAV | 开源防病毒引擎 | | **DAST** | ZAP | 对运行中的 Web/API 端点进行动态测试（可选） | 有关详细的扫描器配置，请参阅[扫描器参考](docs/scanners.md)。 ## 特性 - **统一界面** - 一个工作流适用于所有扫描器 - **灵活的扫描器选择** - 使用 `all`、扫描器组或特定扫描器 - **GitHub Security 标签页集成** - 将 SARIF 结果上传至代码扫描 - **PR 评论** - 对 Pull Request 提供内联反馈 - **基于严重程度的失败控制** - 为工作流失败设置阈值 - **容器配置** - 从单个配置文件扫描多个容器 - **矩阵执行** - 针对多个目标进行并行扫描 - **私有仓库支持** - 对容器仓库进行身份验证 - **环境变量展开** - 动态配置值 ## GitHub Enterprise Server (GHES) GHES 用户可以直接从 github.com 使用我们的组合操作——无需镜像。 **架构**：本项目采用操作优先的架构，所有扫描器逻辑均位于组合操作中。可重用工作流仅是针对 github.com 向后兼容性的轻量级包装器。

GHES 快速入门

``` name: Security Scan (GHES) on: [pull_request, push] permissions: contents: read security-events: write pull-requests: write jobs: sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 # Use composite actions directly from github.com - uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@0.6.7 with: enable_code_security: true fail_on_severity: high env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - uses: huntridge-labs/argus/.github/actions/scanner-bandit@0.6.7 with: enable_code_security: true fail_on_severity: high ```

完整 GHES 工作流模板请参见 [examples/github-enterprise/](examples/github-enterprise/)： - [SAST 扫描](examples/github-enterprise/sast-only.yml) - [容器扫描](examples/github-enterprise/container-scanning.yml) - [基础设施扫描](examples/github-enterprise/infrastructure-scanning.yml) - [DAST 扫描](examples/github-enterprise/dast-scanning.yml) ## 文档 **完整文档：** [huntridge-labs.github.io/argus](https://huntridge-labs.github.io/argus/) ### 用户指南 - [扫描器参考](docs/scanners.md) - 所有扫描器的完整配置 - [容器扫描](docs/container-scanning.md) - 配置驱动的矩阵容器扫描 - [失败控制](docs/failure-control.md) - 基于严重程度的工作流失败配置 ### 开发者文档 - [贡献指南](CONTRIBUTING.md) - 如何添加扫描器和操作 - [测试指南](tests/CONTRIBUTING.md) - 如何添加和运行测试 - [版本发布管理](docs/developer/release-management.md) - 发布流程与版本控制 - [增强的 PR 评论](docs/developer/enhanced-pr-comments.md) - PR 评论实现 ## 用法示例

所有扫描器及 GitHub Security

``` name: Complete Security Scan on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 2 * * 1' # Weekly Monday at 2 AM permissions: contents: read security-events: write pull-requests: write jobs: security: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: all enable_code_security: true post_pr_comment: true fail_on_severity: high secrets: inherit ```

仅 SAST 扫描器

``` name: SAST Security Scan on: [pull_request] jobs: sast: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: codeql,bandit,opengrep,gitleaks codeql_languages: 'python,javascript' enable_code_security: true fail_on_severity: medium secrets: GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} ```

容器扫描

``` name: Container Security on: push: tags: ['v*'] jobs: scan-image: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: trivy-container,grype,sbom image_ref: 'ghcr.io/myorg/myapp:${{ github.ref_name }}' enable_code_security: true fail_on_severity: critical ```

配置驱动的多容器扫描

``` name: Multi-Container Scan on: push: paths: ['container-config.yml'] jobs: scan: uses: huntridge-labs/argus/.github/workflows/container-scan-from-config.yml@0.6.7 with: config_file: container-config.yml enable_code_security: true fail_on_severity: high secrets: inherit ``` **container-config.yml：** ``` containers: - name: frontend registry: host: ghcr.io username: ${GITHUB_TRIGGERING_ACTOR} auth_secret: GITHUB_TOKEN image: repository: myorg name: frontend tag: latest scanners: - trivy-container - grype - name: backend image: myorg/backend:latest scanners: - trivy-container - sbom ``` 完整文档请参见[容器扫描指南](docs/container-scanning.md)。

基础设施即代码

``` name: Infrastructure Security on: pull_request: paths: - 'terraform/**' - 'infrastructure/**' jobs: iac: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: trivy-iac,checkov iac_path: 'terraform/' enable_code_security: true fail_on_severity: high ```

分支特定阈值

``` name: Security with Branch Rules on: pull_request: branches: ['**'] jobs: security: uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7 with: scanners: all enable_code_security: true post_pr_comment: true fail_on_severity: ${{ github.base_ref == 'main' && 'high' || 'critical' }} secrets: inherit ```

## 配置 ### 扫描器选择 - **所有扫描器：** `scanners: all` - **按类别：** `scanners: sast`、`scanners: container`、`scanners: infrastructure` - **特定扫描器：** `scanners: codeql,trivy-container,gitleaks` - **多个类别：** `scanners: sast,container` ### 常用输入 | 输入 | 描述 | 默认值 | |-------|-------------|---------| | `scanners` | 要运行的扫描器（逗号分隔或填写类别） | 必填 | | `enable_code_security` | 将 SARIF 上传至 GitHub Security 标签页 | `false` | | `post_pr_comment` | 将扫描结果作为 PR 评论发布 | `true` | | `fail_on_severity` | 根据严重程度阈值使工作流失败 | `none` | **严重程度级别：** `none`、`low`、`medium`、`high`、`critical` 详细的阈值配置请参见[失败控制指南](docs/failure-control.md)。 ### 所需权限 ``` permissions: contents: read # Read repository content security-events: write # Upload to GitHub Security tab pull-requests: write # Post PR comments actions: read # Read Actions artifacts ``` ### Secrets 大多数 secrets 都是可选的，并通过 `secrets: inherit` 继承。特定于扫描器的 secrets： | Secret | 适用场景 | 描述 | |--------|-------------|-------------| | `GITLEAKS_LICENSE` | Gitleaks (组织) | 来源于 [gitleaks.io](https://gitleaks.io) 的许可证 | | `GITHUB_TOKEN` | PR 评论，Security 标签页 | 自动提供 | | Registry secrets | 私有容器 | 用于身份验证的 Token | ## 贡献 欢迎贡献！请参阅 [CONTRIBUTING.md](CONTRIBUTING.md) 获取指南。 ### 开发环境设置 **使用 Dev Container 快速开始（推荐）：** [](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/huntridge-labs/argus) 1. 安装 [VS Code](https://code.visualstudio.com/) + [Dev Containers 扩展](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) 2. 打开仓库 → "Reopen in Container" 3. 所有依赖项已就绪！运行 `npm test` 详情请参见 [.devcontainer/README.md](.devcontainer/README.md)。 - 行为准则 - 开发环境设置 - Pull Request 流程 - Commit message 格式 ### 开发环境设置 ``` # 安装 dependencies npm install pip install -r .devcontainer/requirements.txt # 运行 tests npm test # 详见 tests/CONTRIBUTING.md 获取详细测试指南 ``` ## 许可证 AGPL v3 许可证 - 详情请参见 [LICENSE.md](LICENSE.md)。 ## 支持 - **文档：** [huntridge-labs.github.io/argus](https://huntridge-labs.github.io/argus/) - **问题：** [GitHub Issues](https://github.com/huntridge-labs/argusissues) - **讨论：** [GitHub Discussions](https://github.com/huntridge-labs/argusdiscussions) - **安全：** 漏洞报告请参见 [SECURITY.md](SECURITY.md)

标签：Bandit, CI/CD安全, CISA项目, CodeQL, DAST, DevSecOps, GitHub Actions, Gitleaks, IaC扫描, IP 地址批量处理, Llama, OpenGrep, SAST, StruQ, Web截图, 上游代理, 代码安全, 安全扫描, 安全管道, 安全评估工具, 容器安全, 恶意软件分析, 持续安全, 数据可视化, 时序注入, 机密检测, 漏洞枚举, 盲注攻击, 结构化查询, 自动化安全, 自动笔记, 逆向工具