一个整合 18 个 AI Agent 与 11 个安全工具的 Claude Code 插件,提供从 SAST/DAST/SCA 到容器/IaC/Secret 扫描的全链路 DevSecOps 自动化能力。
-success?style=flat-square)
DevSecOps AI Team
Claude Code 企业级 DevSecOps 插件技能包
Multi-Agent AI 安全团队 — 18 个 Agent 协同工作,保障整个 SDLC 的软件安全
## 目录
- [执行摘要](#executive-summary)
- [核心亮点](#key-highlights)
- [OWASP Top 10 覆盖范围](#owasp-top-10-coverage)
- [新功能 (v3.0.3)](#whats-new)
- [使用场景](#use-cases)
- [快速开始](#quick-start)
- [架构概览](#architecture-overview)
- [16 项技能](#16-skills--คำสั่งทั้งหมด)
- [18 个 AI Agent](#18-ai-agents--ทีมผู้เชี่ยวชาญ)
- [漏洞优先级排序](#vulnerability-prioritization)
- [基于角色的安全策略](#role-based-security-policy)
- [MCP Server 集成](#mcp-server-integration-v20)
- [合规性映射](#compliance-mapping)
- [输出格式](#output-formats)
- [自主安全控制](#autonomous-security-controls--การป้องกันอัตโนมัติ)
- [Sidecar Runner 架构](#sidecar-runner-architecture)
- [安全与隐私](#security--privacy)
- [测试与质量](#testing--quality)
- [ROI 与商业价值](#roi--business-value)
- [与替代方案对比](#comparison-with-alternatives)
- [项目结构](#project-structure)
- [文档](#documentation)
- [需求](#requirements)
- [贡献](#contributing)
- [路线图](#roadmap)
- [许可证](#license)
## 执行摘要
| 指标 | 数值 |
| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| **项目类型** | Claude Code 插件技能包 (纯 markdown/JSON/shell) |
| **AI Agent** | 18 个 Agent,分为 4 组 (Orchestrators, Specialists, Experts, Core Team) |
| **技能 (命令)** | 16 个斜杠命令 (/sast-scan, /dast-scan, /full-pipeline, /k8s-scan, /graphql-scan, ...) |
| **安全工具** | Docker 容器中的 11 个开源工具 (Semgrep, ZAP, Nuclei, Grype, Trivy, Checkov, GitLeaks, Syft, TruffleHog, kube-bench, Nuclei-GraphQL) |
| **MCP 工具** | 10 个可组合工具,用于程序化集成 |
| **合规框架** | 7 个框架 — OWASP Top 10 (2021+2025), NIST 800-53, MITRE ATT&CK, NCSA, PDPA, SOC 2, ISO 27001 |
| **CWE 映射** | 共 488 个 (OWASP 122 + NIST 100 + MITRE 93 + NCSA 62 + PDPA 30 + SOC 2 40 + ISO 27001 41) |
| **OWASP Top 10 覆盖率** | 10/10 类别 — 双版本 (2021+2025) 映射 |
| **测试** | 1,296+ 项检查,涵盖 42 个套件 — 全部通过 |
| **QA 轮次** | 13 轮,最新一轮 75/75 (累计 1,300+ 次检查) |
| **ROI** | 10,222% — 实际成本 3,100 THB vs 等效价值 320,000 THB (133 倍速度) |
| **版本** | 3.0.3 (2026-03-03) |
## 核心亮点
- **18 个 AI Agent,1 个团队** — Orchestrators 将任务委派给 Specialists,Experts 分析跨工具结果,Core Team 执行质量门禁 — 所有人通过强制路由表协同工作
- **11 个安全工具,1 个命令** — `/full-pipeline` 并行运行所有工具,跨工具去重结果,一条命令生成统一报告
- **实时保护** — 阻止包含 CRITICAL 发现的 commits,在写入磁盘前检测 secrets (AWS keys, GitHub tokens, JWT) — 在 500ms 内完成
- **CVSS v4.0 优先级排序** — 分析业务影响、可利用性 (Weaponized → None),设定 SLA 层级 (P1: 24小时 → P4: backlog)
- **488 个 CWE 合规映射** — 自动将扫描结果映射到 OWASP Top 10 (122), NIST 800-53 (100), MITRE ATT&CK (93), NCSA (62), PDPA (30), SOC 2 (40), ISO 27001 (41)
- **NCSA Web 安全标准** — 支持 NCSA (泰国) 网站安全标准 (HTTP Headers, TLS, Session Management)
- **MCP Server** — 10 个可组合工具,用于与 MCP 兼容的客户端进行程序化集成 (compare, compliance_status, suggest_fix, history, pipeline)
- **自定义 OWASP 规则** — 84 条自定义 Semgrep 规则,涵盖 A01 (访问控制), A02 (加密), A03 (注入), A04 (不安全设计), A05 (配置错误), A06 (易受攻击组件), A07 (认证失败), A08 (完整性失败), A09 (日志), A10 (SSRF + 异常处理), K8s manifests, GraphQL endpoints
- **8 种输出格式** — SARIF, JSON, Markdown, HTML, PDF, CSV, VEX, Dashboard
## OWASP Top 10 覆盖范围
通过双版本映射、工具和自定义规则覆盖 2021 和 2025 版 OWASP Top 10:
| # | 类别 (2021) | 类别 (2025) | 工具 | 检测方法 |
| --- | ------------------------- | ----------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------- |
| A01 | Broken Access Control | Broken Access Control | **自定义规则 (8)**, ZAP, Nuclei | 缺失 authz, IDOR, 路径遍历, CORS, 权限提升 (CWE-862/639/22/942/269) |
| A02 | Cryptographic Failures | Cryptographic Failures | **自定义规则 (6)**, GitLeaks | 弱加密, 硬编码密钥, 不安全算法, 缺失加密 (CWE-327/328/330/338/916) |
| A03 | Injection | Injection | **自定义规则 (11)**, ZAP, Nuclei | SQLi, 命令注入, XSS, LDAP 注入, 模板注入 (CWE-89/78/79/90/1336) |
| A04 | Insecure Design | Insecure Design | **自定义规则 (4)**, Checkov | 缺失速率限制, 不安全文件上传, 业务逻辑绕过 (CWE-770/434/840/841) |
| A05 | Security Misconfiguration | Security Misconfiguration | **自定义规则 (6)**, Trivy, Checkov | Debug 模式, 目录列出, 默认凭据, 详细错误信息 (CWE-16/215/548/756/1004) |
| A06 | Vulnerable Components | Vulnerable Components | **自定义规则 (5)**, Grype, Syft | 过时依赖, 已知 CVE, 版本固定, SBOM 分析 (CWE-1104/937/1035) |
| A07 | Auth Failures | Identification Failures | **自定义规则 (5)**, ZAP, Nuclei | 弱密码, 缺失 MFA, 会话固定, 凭据填充 (CWE-287/306/384/640/521) |
| A08 | Data Integrity Failures | Data Integrity Failures | **自定义规则 (5)**, Trivy | 不安全反序列化, 未签名制品, CI/CD 完整性 (CWE-502/829/494/915/345) |
| A09 | Logging Failures | Logging Failures | **自定义规则 (7)** | 缺失认证日志, 静默捕获, 日志中的 PII, 日志注入, 速率限制日志 |
| A10 | SSRF | Exception Handling (2025 新增) | **自定义规则 (7+4)**, ZAP, Nuclei | SSRF: 云元数据, DNS 重绑定 + 异常: 堆栈跟踪泄露, 全局捕获 (CWE-918/209/392) |
## 新功能
### v3.0.3 — 平台版本 (最新)
- **SQLite 历史数据库** — `scripts/scan-db.sh` 包含 7 个子命令,用于持久化扫描跟踪和趋势分析
- **DAG Pipeline 引擎** — `runner/pipeline-engine.sh` 包含拓扑排序和 4 个内置 pipeline 定义
- **安全仪表板** — Alpine.js + Chart.js 自包含 HTML 仪表板,包含 6 个面板
- **K8s 安全扫描** — `/k8s-scan` 技能,包含 8 条 Semgrep 规则 + kube-bench CIS Benchmark 集成
- **GraphQL 安全扫描** — `/graphql-scan` 技能,包含 8 条 Semgrep 规则 + 4 个 Nuclei 模板
- **2 个新 MCP 工具** — `devsecops_history` 和 `devsecops_pipeline` (共 10 个)
- **84 条自定义 Semgrep 规则** — +16 条新规则 (8 条 K8s + 8 条 GraphQL)
历史版本
### v2.8.0 — 供应链合规 + OWASP 10/10
- **OWASP 10/10 自定义规则** — A06 Vulnerable Components (5), A07 Auth Failures (5), A08 Integrity Failures (5) — 共 68 条自定义 Semgrep 规则
- **SLSA 来源评估** — `/slsa-assess` 技能,包含 SLSA v1.1 参考,用于 EU CRA 合规
- **VEX 输出格式** — CycloneDX VEX + OpenVEX 作为第 7 种输出格式
- **TruffleHog Secret 扫描** — 第 9 个安全工具,支持 git/filesystem/s3 模式
- **SOC 2 + ISO 27001 合规** — 2 个新映射文件 (约 81 个 CWE),共 7 个框架
### v2.7.0 — OWASP 2025, Nuclei DAST, PDPA 合规
- **OWASP Top 10 2025** — 跨所有 122 个 CWE 的双版本映射 (2021+2025),4 个新规则集 (A02/A04/A05/A10-exception)
- **53 条自定义 Semgrep 规则** — 原为 33 条,新增 A02 Cryptographic Failures (6), A04 Insecure Design (4), A05 Misconfiguration (6), A10 Exception Handling (4)
- **Nuclei DAST 集成** — 第二个 DAST 工具,与 ZAP 并行,支持 Docker, dispatcher, normalizer
- **PDPA 合规** — 30 个 CWE 映射,用于泰国个人数据保护法
- **NCSA 1.0 增强** — Permissions-Policy, COOP, COEP, TLS 1.3 检查
### v2.5.0 — 自定义 OWASP 规则 (A01/A03/A10), 3 个新 MCP 工具, PDF/CSV
- **A01/A03/A10 自定义 Semgrep 规则** — 26 条新规则,检测访问控制, 注入, SSRF 反模式
- **3 个新 MCP 工具** — `devsecops_compare` (趋势差异), `devsecops_compliance_status` (聚合合规性), `devsecops_suggest_fix` (修复建议)
- **PDF/CSV 格式化器** — 企业级 PDF 导出, 电子表格 CSV 导出
- **700+ 测试**,涵盖 19 个套件 (原为 587)
### v2.4.0 — DAST 基础设施, A09 检测 & NCSA 验证
- **A09 自定义 Semgrep 规则** — 7 条规则 (5 个类别),检测 OWASP A09:2021 反模式 (CWE-117/390/532/778),适用于 Python + JS/TS
- **ZAP 多调度器** — 3 种模式: `baseline` (被动, 120s), `full` (主动, 1800s), `api` (OpenAPI, 600s) + 认证扫描
- **NCSA 网站安全验证器** — 根据 NCSA 标准检测 HTTP Security Headers (1.x), Transport Security (2.x), Session Management (4.x)
- **DAST 实时测试** — 用于实时 ZAP 扫描的条件测试套件 (需设置 `DAST_TARGET`)
- **587 测试**,涵盖 15 个套件 (原为 461)
### v2.3.0 — NCSA 合规映射
- **NCSA 网站安全标准 v1.0** — 跨 7 个类别的 62 个 CWE 映射 (泰国网络安全委员会网站安全标准)
- **MCP `ncsa` 框架支持** — `devsecops_compliance` 支持 NCSA 框架
- **自动修复技能** — `/auto-fix` 读取扫描结果 → 生成补丁 → 请求批准 → 修复代码 → 重新扫描
### v2.2.0 — 框架修复 + 测试加固
- **框架感知修复** — 4 个参考文件 (Django, React/Next.js, Express/Node, Spring) + 自动检测路由
- **Syft Normalizer** — 来自 CycloneDX-JSON 的 SBOM 组件清单
- **65 个新功能测试** — hooks (27), dedup (15), MCP handlers (23)
### v2.1.0 — 安全修复 + 覆盖缺口
- **安全修复** — Python3 依赖守护, MCP 命令注入修复, ZAP OOM 内存限制
- **RBAC Gate** — 基于角色的策略
- **Zod 验证** — MCP 输入使用 Zod schemas 验证所有 5 个工具
### v2.0.0 — MCP Server + Agent 编排
- **MCP Server** — 5 个 MCP 工具用于程序化集成
- **Agent 编排** — 强制路由表 + 委派链
- **跨工具去重** — 使用 (cve_id, file, line) 去重
- **智能检测** — session-start.sh 自动检测技术栈
### v1.0.0 — 初始版本
- 18 个 AI agents, 12 项技能, 7 个 Docker 安全工具
- SARIF/JSON/Markdown 输出格式化器
- CWE → OWASP/NIST/MITRE 合规映射
## 使用场景
### 1. 开发团队 — 日常安全扫描
```
Developer เปิด Claude Code ในโปรเจค → session-start ตรวจจับ tech stack อัตโนมัติ
→ แก้ไขโค้ด → scan-on-write ตรวจจับ secrets ทันที (500ms)
→ พิมพ์ /sast-scan → พบ SQL Injection → /auto-fix สร้าง patch + re-scan
→ git commit → pre-commit-gate บล็อกถ้ามี CRITICAL ค้างอยู่
```
### 2. 安全团队 — 发布前评估
```
Security Lead เรียก /full-pipeline → รัน 7 tools parallel
→ vuln-triager จัดลำดับตาม CVSS v4.0 + exploitability
→ compliance-officer map ไปยัง OWASP/NIST/MITRE/NCSA
→ /security-gate ตัดสินใจ PASS/FAIL ตาม role-based policy
→ report-generator สร้าง HTML dashboard + SARIF สำหรับ GitHub Security tab
```
### 3. 合规官 — 审计与报告
```
เรียก /compliance-report --framework all
→ ได้ cross-walk matrix: CWE → OWASP Top 10 + NIST 800-53 + MITRE ATT&CK + NCSA
→ export เป็น SARIF upload ไป GitHub / JSON ส่งเข้า SIEM
→ /incident-response สร้าง IR playbook ตาม NIST 800-61 เมื่อพบ CRITICAL
```
### 4. CI/CD Pipeline — 自动化门禁
```
# GitHub Actions 示例
- name: Security Gate
run: |
# MCP tool: scan → gate → report
devsecops_scan --tool semgrep --target .
devsecops_scan --tool grype --target .
devsecops_gate --policy security-lead
```
### 5. DAST — Web 应用测试
```
Security Engineer ตั้งค่า DAST_TARGET → เลือก scan mode:
→ baseline (CI/CD, passive only, 120s)
→ full (pre-release, active attacks, 1800s)
→ api (OpenAPI spec-driven, 600s)
→ NCSA validator ตรวจ HTTP headers + TLS + session cookies
→ ผลรวมกับ SAST findings ใน unified report
```
## 为什么选择 DevSecOps AI Team?
| 使用插件前 | 使用插件后 |
| ------------------------------------------------------- | -------------------------------------------- |
| `semgrep scan --config p/owasp-top-ten --sarif ...` | `/sast-scan` |
| `gitleaks detect --source . --report-format json ...` | `/secret-scan` |
| `trivy image --severity HIGH,CRITICAL myapp:latest ...` | `/container-scan` |
| 需要分别运行 7 个工具,然后手动合并结果 | `/full-pipeline` (同时运行所有 7 个工具) |
| 手动打开 spreadsheet 映射 CWE → NIST | `/compliance-report --framework all` |
| 讨论是否可以部署 | `/security-gate` (根据策略自动决策) |
## 快速开始
### 1. 安装插件
```
# Step 1: 注册 marketplace
claude plugin marketplace add pitimon/devsecops-ai-team
# Step 2: 安装 plugin
claude plugin install devsecops-ai-team@pitimon-devsecops
```
### 2. 检查前置条件
```
# 需要 Docker Engine 20.10+ 和 Docker Compose v2+
bash scripts/check-prerequisites.sh
```
### 3. (可选) 安装 MCP Server
```
cd mcp && npm install
```
MCP server 将在打开 Claude Code session 时通过 `.mcp.json` 自动加载
### 4. 开始使用
```
# 打开 Claude Code 并输入
/devsecops-setup # ตรวจจับ tech stack + ตั้งค่าอัตโนมัติ
/secret-scan # สแกนหา secrets ที่หลุดเข้า codebase
/sast-scan # สแกนช่องโหว่ในโค้ด (SQL Injection, XSS, ...)
/full-pipeline # รันทุก scan แบบ parallel แล้วสรุปผล
```
## 架构概览
```
You (Claude Code)
|
+--- Skill commands (/sast-scan, /full-pipeline, ...)
|
+--- MCP tools (devsecops_scan, devsecops_gate, ...) <-- v2.0
|
v
+------------------------------------------------------------------+
| 18 AI Agents |
| |
| +---------------+ +---------------+ +------------------------+ |
| | Orchestrators | | Specialists | | Experts + Core Team | |
| | (3 agents) | | (7 agents) | | (8 agents) | |
| | | | | | | |
| | devsecops- | | sast | | compliance-officer | |
| | lead <------+--+ dast | | threat-modeler | |
| | (router) | | sca | | vuln-triager | |
| | stack- | | container | | remediation-advisor | |
| | analyst | | iac | | code-reviewer | |
| | team- | | secret | | incident-responder | |
| | configurator| | sbom | | report-generator | |
| | | | | | pipeline-guardian | |
| +---------------+ +---------------+ +------------------------+ |
+----------------------------+--------------------------------------+
| bash -> job-dispatcher.sh
v
+------------------------------------------------------------------+
| Sidecar Runner (Alpine + Docker CLI) |
| job-dispatcher.sh -> result-collector.sh -> normalize |
| -> dedup-findings.sh -> format |
+--+------+------+------+------+------+-------+-------+------------+
| | | | | | | |
+-v-+ +--v--++--v--++--v--++--v--++--v--++--v--++---v---+
|Sem| |Grype||Trivy||Chek ||GitL || ZAP ||Syft ||Truf |
|gre| | || ||ov ||eaks || || ||fleHog|
|p | | SCA || Con || IaC || Sec ||DAST ||SBOM || Sec |
+---+ +-----++-----++-----++-----++-----++-----++------+
All tools run locally in Docker containers
```
### 工作原理
1. **您在 Claude Code 中输入命令** (如 `/sast-scan`) (或通过 MCP tool 调用)
2. **Orchestrator** (`devsecops-lead`) 分析请求,然后 **必须 (MUST)** 根据路由表委派给 specialist
3. **Specialist agent** 通过 `job-dispatcher.sh` 将任务发送到 Docker container
4. **工具** (如 Semgrep) 在 container 中运行并返回结果
5. **json-normalizer.sh** 将结果转换为 Unified Finding Schema (severity 映射正确)
6. **dedup-findings.sh** 合并来自多个工具的结果并去除重复项
7. **Expert agents** 进行分析:优先级排序、合规映射、修复建议
8. **报告生成器** 生成所需格式的报告
### Full Pipeline 委派链
当调用 `/full-pipeline` 时,系统将按以下顺序委派:
```
1. @security-stack-analyst -> ตรวจจับ tech stack
2. Scan Specialists (parallel):
+-- @sast-specialist -> ถ้ามี source code
+-- @secret-scanner -> เสมอ
+-- @sca-specialist -> ถ้ามี dependency files
+-- @container-specialist -> ถ้ามี Dockerfile
+-- @iac-specialist -> ถ้ามี Terraform/K8s
+-- @sbom-analyst -> เสมอ
3. @vuln-triager -> deduplicate + prioritize
4. @compliance-officer -> map to OWASP/NIST/MITRE/NCSA
5. @remediation-advisor -> fix guidance (HIGH+)
6. @report-generator -> unified report
7. @pipeline-guardian -> gate decision (PASS/FAIL)
```
### 决策循环模型
决策分为 3 个风险等级:
```
Out-of-Loop On-the-Loop In-the-Loop
(AI autonomous) (AI proposes) (Human decides)
+-----------+ +-----------+ +-----------+
| /sast-scan| |/full-pipe | | /dast-scan|
| /sca-scan | |/compliance| | /security |
| /secret- | |/auto-fix | | -gate |
| scan | |/devsecops-| | /incident-|
| /container| | setup | | response |
| /iac-scan | | | | |
| /sbom-gen | | | | |
+-----------+ +-----------+ +-----------+
Low risk Medium risk High risk
No approval AI proposes, Human must
needed human approves decide
```
## 16 项技能 — 所有命令
### 安全扫描
| Skill | Tool | 功能 | Decision Loop |
| ----------------- | -------------------- | ------------------------------------------------------------------- | ------------- |
| `/sast-scan` | Semgrep | 分析源代码以查找 SQL Injection, XSS, SSRF 等 | Out-of-Loop |
| `/dast-scan` | ZAP | 动态测试 web application (3 种模式: baseline/full/api) | In-the-Loop |
| `/sca-scan` | Grype | 扫描依赖项以查找已知 CVE | Out-of-Loop |
| `/container-scan` | Trivy | 检查 Docker image 中的漏洞 + 配置错误 | Out-of-Loop |
| `/iac-scan` | Checkov | 根据 CIS Benchmarks 检查 Terraform/K8s/Helm | Out-of-Loop |
| `/secret-scan` | GitLeaks, TruffleHog | 搜索泄露到代码中的 API keys, passwords, tokens + 有效性检查 | Out-of-Loop |
| `/sbom-generate` | Syft | 生成 Software Bill of Materials (CycloneDX/SPDX) | Out-of-Loop |
| `/slsa-assess` | — | 根据 SLSA v1.1 规范评估 SLSA 来源级别 | On-the-Loop |
| `/k8s-scan` | kube-bench, Semgrep | 扫描 K8s manifests + CIS Benchmark 合规性 | Out-of-Loop |
| `/graphql-scan` | Semgrep, Nuclei | 检查 GraphQL endpoints: introspection, depth, batching | On-the-Loop |
### 编排与报告
| Skill | 功能 | Decision Loop |
| -------------------- | ---------------------------------------------------------------- | ------------- |
| `/devsecops-setup` | 检测技术栈 + 推荐扫描配置 + 生成配置 | On-the-Loop |
| `/full-pipeline` | 并行运行所有扫描,然后将结果合并为统一报告 | On-the-Loop |
| `/compliance-report` | 将发现映射到 NIST 800-53, OWASP Top 10, MITRE ATT&CK, NCSA | On-the-Loop |
| `/incident-response` | 当发现 CRITICAL 问题时,根据 NIST 800-61 创建 IR playbook | In-the-Loop |
| `/security-gate` | 在部署前根据严重性策略决定 pass/fail | In-the-Loop |
| `/auto-fix` | 读取扫描结果 → 生成补丁 → 请求批准 → 修复代码 → 重新扫描 | On-the-Loop |
## 18 个 AI Agent — 专家团队
### Orchestrators — 协调者 (3 个 agents)
| Agent | 职责 | Routing Cue |
| -------------------------- | ------------------------------------------------------------------------- | -------------------------------- |
| **devsecops-lead** | 团队负责人 — 分析请求后 **必须 (MUST)** 委派给 specialist | Coordinator (禁止亲自执行) |
| **security-stack-analyst** | 检测技术栈 (语言, 框架, 容器, IaC) 以选择工具 | **必须 (MUST)** 在 session 开始时使用 |
| **team-configurator** | 根据检测到的项目自动设置 agent 映射 | **必须 (MUST)** 在 /devsecops-setup 时使用 |
### Security Specialists — 领域专家 (7 个 agents)
| Agent | 专长 | 工具 | Routing Cue |
| --------------------------------- | ------------------------------------------------------------------- | ---------- | --------------------------- |
| **sast-specialist** | 分析源代码, 创建自定义规则, 过滤误报 | Semgrep | **必须 (MUST)** 在 SAST 时使用 |
| **dast-specialist** | 测试 web app, 认证扫描, API fuzzing, NCSA 验证 | ZAP | **必须 (MUST)** 在 DAST 时使用 |
| **sca-specialist** | 评估依赖风险, 许可证合规, 升级路径 | Grype | **必须 (MUST)** 在 SCA 时使用 |
| **container-security-specialist** | Dockerfile 加固, 镜像优化, 运行时安全 | Trivy | **必须 (MUST)** 在 container 时使用 |
| **iac-security-specialist** | CIS benchmarks, 配置错误检测, policy-as-code | Checkov | **必须 (MUST)** 在 IaC 时使用 |
| **secret-scanner-specialist** | Git 历史分析, 熵检测, 轮换指导 | GitLeaks | **必须 (MUST)** 在 secret 时使用 |
| **sbom-analyst** | CycloneDX/SPDX, 许可证兼容性, 组件清单 | Syft | **必须 (MUST)** 在 SBOM 时使用 |
### Universal Experts — 跨领域专家 (4 个 agents)
| Agent | 职责 | Routing Cue |
| ----------------------- | ----------------------------------------------------------------- | ---------------------------------- |
| **compliance-officer** | 将发现映射到 NIST 800-53, OWASP Top 10, MITRE ATT&CK, NCSA, CIS | 在扫描后主动使用 (PROACTIVELY) |
| **threat-modeler** | 使用 STRIDE/PASTA 方法论分析威胁 | 在架构变更时主动使用 (PROACTIVELY) |
| **vuln-triager** | 优先级排序: CVSS 评分, 可利用性, 业务影响 | 在扫描结果后主动使用 (PROACTIVELY) |
| **remediation-advisor** | 提供带代码示例的修复建议 (Django, React, Express, Spring) | 在分类后主动使用 (PROACTIVELY) |
### Core Team — 核心团队 (4 个 agents)
| Agent | 职责 | Routing Cue |
| -------------------------- | ----------------------------------------------------------------- | ---------------------------------- |
| **security-code-reviewer** | 安全视角的代码审查: injection, auth bypass, data exposure | **必须 (MUST)** 在代码变更时使用 |
| **incident-responder** | 根据 NIST 800-61 创建 IR playbook, 设定严重性, 跟踪修复 | **必须 (MUST)** 在发现 CRITICAL 时使用 |
| **report-generator** | 生成报告: HTML dashboard, Markdown PR comment, SARIF, JSON | **必须 (MUST)** 在生成报告时使用 |
| **pipeline-guardian** | 安全门禁 — 在部署前根据策略决定 pass/fail | **必须 (MUST)** 在执行门禁时使用 |
## 漏洞优先级排序
`vuln-triager` agent 使用 CVSS v4.0 对发现进行优先级排序 — 不仅仅是严重性标签:
### 可利用性分类
| 等级 | 含义 | 示例 |
| --------------- | ------------------------------------ | ------------------------ |
| **Weaponized** | 存在野外传播的成熟利用程序 | Log4Shell, EternalBlue |
| **Active** | 正在被实际攻击 (KEV listed) | CISA KEV 中的 CVE |
| **POC** | 已发布概念验证代码 | GitHub POC repositories |
| **Theoretical** | 理论上可行但尚无 exploit | 尚无真实 CVE 的 CWE |
| **None** | 在此上下文中无法利用 | Info-level 发现 |
### SLA 优先级矩阵
| Priority | SLA | Severity | 行动 |
| -------- | ---------- | ---------------------- | ----------------------------- |
| **P1** | 24 小时 | CRITICAL + Weaponized | IR playbook + 立即 hotfix |
| **P2** | 7 天 | HIGH 或 CRITICAL+POC | 在当前 sprint 中计划修复 |
| **P3** | 30 天 | MEDIUM | 进入下个 sprint backlog |
| **P4** | Backlog | LOW / INFO | 仅跟踪 |
## 基于角色的安全策略
`severity-policy.json` 定义了安全门禁的 RBAC — 每个角色有不同的策略:
| 设置 | developer | security-lead | release-manager |
| -------------------- | ------------ | ---------------------------- | --------------------------------------- |
| **失败条件** | CRITICAL | CRITICAL, HIGH | CRITICAL, HIGH, MEDIUM |
| **必需扫描** | sast, secret | sast, sca, secret, container | sast, sca, secret, container, iac, sbom |
| **允许抑制** | No | Yes | Yes |
| **最大时效 (小时)** | 48 | 24 | 24 |
**Gate override** 默认关闭 (`allow_gate_override: false`) — 必须具有 security-lead 角色才能覆盖。这是一项企业安全功能,使 gate 真正具有阻断性,而不仅仅是建议性的。
## MCP Server 集成 (v2.0)
MCP server 允许 MCP 兼容的客户端 (如 Claude Desktop, IDE 插件) 直接调用安全扫描,无需输入 skill 命令:
```
Claude Code / MCP Client ---- stdio ----> mcp/server.mjs
|
+-------------+-------------+
v v v
job-dispatcher result-collector mappings/*.json
|
Docker containers (Semgrep, Grype, Trivy, ...)
```
### MCP 工具
| MCP Tool | Input | Output | 功能 |
| ----------------------------- | ----------------------------- | ---------------------------- | ------------------------------------------- |
| `devsecops_scan` | tool, target, rules | job_id + 标准化发现 | 运行安全扫描 (可选择工具) |
| `devsecops_results` | job_id, format | 格式化结果 | 以所需格式获取扫描结果 |
| `devsecops_gate` | results_file, policy | PASS/FAIL + 违规项 | 根据严重性策略评估 pass/fail |
| `devsecops_compliance` | findings_file, frameworks | 交叉映射矩阵 | 将发现映射到 OWASP/NIST/MITRE/NCSA |
| `devsecops_status` | (none) | runner + images 状态 | 检查 Docker + 可用工具镜像 |
| `devsecops_compare` | baseline_file, current_file | 新增/修复/未变更 + 趋势 | 比较两次扫描结果 (趋势分析) |
| `devsecops_compliance_status` | findings_file | 各框架覆盖率 | 跨 5 个框架的合规性摘要 |
| `devsecops_suggest_fix` | cwe_id, rule_id, finding_file | 修复建议 | 基于 CWE/rule 知识库的修复建议 |
### 安装 MCP
```
cd mcp && npm install
# 检查
node --check mcp/server.mjs
bash tests/test-mcp-server.sh # 23 tests
bash tests/test-mcp-compare.sh # 22 compare tests
```
MCP server 将通过 `.mcp.json` 自动加载 — 无需额外配置
## 合规性映射
此插件自动将 CWE 结果映射到合规框架 — **跨 7 个框架的 488 个 CWE 映射**:
| Framework | Version | CWE 数量 | 用途 |
| --------------------- | --------- | --------- | ----------------------------------------------------- |
| **OWASP Top 10** | 2021+2025 | 122 | Web 应用安全类别 (双版本) |
| **NIST SP 800-53** | Rev. 5 | 100 | 联邦安全控制 |
| **MITRE ATT&CK** | v16 | 93 | 对手战术和技术 |
| **NCSA Web Security** | 1.0 | 62 | 泰国国家网站安全标准 |
| **SOC 2** | TSC 2017 | ~40 | 信任服务标准 (安全, 可用性, 等.) |
| **ISO 27001** | 2022 | ~41 | 信息安全管理 (附录 A 控制) |
| **PDPA** | 2562 | 30 | 泰国个人数据保护法 |
### 追踪的其他框架
| Framework | Version | 用途 |
| ------------------ | ------- | --------------------------------- |
| **CIS Benchmarks** | Various | 配置加固基线 |
| **PCI DSS** | 4.0.1 | 支付卡行业合规 |
| **CVSS** | 4.0 | 漏洞严重性评分 |
| **NIST 800-61** | Rev. 3 | 事件响应生命周期 |
### NCSA 网站安全标准
泰国网络安全委员会 (NCSA) 制定的网站安全标准:
| Category | 检查内容 | Method |
| ------------ | ------------------------------------------------------------------------------------------- | ------------------------ |
| **NCSA 1.x** | HTTP Security Headers (HSTS, X-Frame-Options, CSP, Permissions-Policy, COOP, COEP) | DAST + Header 验证 |
| **NCSA 2.x** | Transport Security (TLS >= 1.2, 优先 TLS 1.3, 强制 HTTPS, 证书有效性) | DAST + TLS 检查 |
| **NCSA 3.x** | 认证与访问控制 | SAST + DAST |
| **NCSA 4.x** | Session Management (Cookie Secure, HttpOnly, SameSite flags) | DAST + Cookie 检查 |
| **NCSA 5.x** | 输入验证 (SQLi, XSS, SSRF 防护) | SAST + DAST |
| **NCSA 6.x** | 错误处理与日志 | SAST + 自定义 A09 规则 |
| **NCSA 7.x** | 数据保护 (静态/传输加密) | SAST + 配置检查 |
## 输出格式
每次扫描的结果可以导出为 7 种格式:
| Format | 用途 | 示例 |
| ---------------- | --------------------------------------------------------------- | ------------------ |
| **SARIF** v2.1.0 | 上传到 GitHub Security tab | `results.sarif` |
| **JSON** | 用于 CI/CD pipeline 或自定义工具 | `results.json` |
| **Markdown** | 粘贴为 PR comment | `results.md` |
| **HTML** | 面向管理层的执行仪表板 | `results.html` |
| **PDF** | 用于审计/管理的企级报告 | `results.pdf` |
| **CSV** | 导入到 spreadsheet / SIEM | `results.csv` |
| **VEX** | Vulnerability Exploitability eXchange (CycloneDX VEX + OpenVEX) | `results.vex.json` |
### Unified Finding Schema
所有工具的结果都被标准化为统一格式:
```
{
"findings": [
{
"id": "FINDING-20260301-001",
"source_tool": "semgrep",
"scan_type": "sast",
"severity": "HIGH",
"title": "SQL Injection via string concatenation",
"cwe_id": "CWE-89",
"location": { "file": "src/api/users.py", "line_start": 45 },
"status": "open"
}
],
"summary": {
"total": 1,
"critical": 0,
"high": 1,
"medium": 0,
"low": 0,
"info": 0
}
}
```
### 跨工具去重
当同时运行多个工具 (`/full-pipeline`) 时,系统会自动对结果去重:
- **去重键**: `(cve_id, file, line_start)` 用于文件发现,`(cve_id, package)` 用于依赖项
- **合并时**: 保留最高严重性,合并源工具
## 自主安全控制 — 自动防护
插件安装了 3 个自动运行的 hooks — 无需调用命令:
| Hook | 触发时机 | 功能 |
| ------------------- | ---------------- | ------------------------------------------------- |
| **session-start** | 打开 Claude Code | 显示 runner 状态 + 根据项目文件推荐扫描 |
| **scan-on-write** | 修改/创建文件 | 立即扫描 secrets + 注入模式 (500ms) |
| **pre-commit-gate** | `git commit` | 如果有未修复的 CRITICAL 发现则阻止 commit |
### 实时 Secret 检测
`scan-on-write` hook 在写入磁盘前检测 8 种 secret 模式 — **立即阻止 (exit 2)**:
| Pattern | 示例 |
| ---------------- | ------------------------------- |
| AWS Access Key | `AKIA...` (16 chars) |
| API Secret Key | `sk-...` (20+ chars) |
| GitHub PAT/OAuth | `ghp_...`, `gho_...`, `ghs_...` |
| Slack Token | `xoxb-...`, `xoxp-...` |
| JWT Token | `eyJ...` (3-part base64) |
此外,还检测 **4 种注入模式** 作为警告 (不阻止):
`eval()`, `exec()`, `child_process.exec()`, `subprocess(shell=True)`
### 智能项目检测
`session-start.sh` 检测项目文件并自动推荐扫描:
| 检测到 | 推荐 | 语言/框架 |
| -------------------------------------------- | ----------------- | ----------------------- |
| `package.json`, `requirements.txt`, `go.mod` | `/sca-scan` | Node.js, Python, Go |
| `Dockerfile`, `docker-compose*.yml` | `/container-scan` | Docker |
| `*.tf`, `k8s/`, `kubernetes/` | `/iac-scan` | Terraform, Kubernetes |
| `.git/` | `/secret-scan` | 所有包含 Git 的项目 |
| `*.py`, `*.js`, `*.ts`, `*.java`, `*.go` | `/sast-scan` | Python, JS/TS, Java, Go |
## Sidecar Runner 架构
所有工具在 Docker 容器中以 2 种模式运行:
### Minimal Mode (推荐用于开发)
```
# 无需持续运行 container — oneshot 单次调用
bash scripts/install-runner.sh --mode minimal
```
- 使用 `docker run --rm` — 运行后立即删除 container
- 使用较少的 RAM/CPU
- 适用于开发和 CI/CD
### Full Mode (用于生产/重度使用)
```
# 持续运行 sidecar container — 加快 scan 速度
bash scripts/install-runner.sh --mode full
```
- 使用持久化容器 + `docker exec`
- 无需每次 pull 镜像 — 扫描更快
- 适用于生产环境
### 卷安全
| Volume | Access | 用途 |
| ------------ | ----------- | ----------------------------- |
| `/workspace` | Read-only | 项目的源代码 |
| `/results` | tmpfs (RAM) | 扫描结果 — 不写入磁盘 |
| `/config` | Read-only | 规则, 策略, 配置 |
| `/cache` | Persistent | 工具 DB 缓存 (Trivy, Grype) |
## 安全与隐私
- **源代码不离开本机** — 所有工具在本地 Docker 容器中运行
- **扫描结果在 RAM 中** — 使用 tmpfs 卷,不写入磁盘
- **Workspace 挂载为只读** — 工具只能读取,无法修改
- **无网络访问** — 容器不需要互联网 (除了需要访问目标 URL 的 ZAP)
- **非 root 容器** — Dockerfile 使用非 root USER + tini init
## 测试与质量
### 测试结果 (1,296+)
```
Validation: 276/276 structural checks (plugin structure, skills, agents, mappings)
Normalizer: 41/41 severity mapping + multi-array + null safety
MCP Server: 30/30 config + syntax + tool definitions
MCP Handlers: 37/37 Zod validation + gate logic + compliance crosswalk + NCSA + PDPA
Hooks: 27/27 session-start + scan-on-write + pre-commit-gate
Dedup: 15/15 cross-tool deduplication
Auto-Fix: 37/37 SKILL.md structure + agent config + routing
DAST Integration: 22/22 ZAP fixture + normalizer + dispatcher
MCP Integration: 38/38 Docker availability + handler logic + runner
A01 Rules: 30/30 A01 access control rule YAML + metadata + CWE + OWASP 2025
A02 Rules: 17/17 A02 cryptographic failures rule YAML + metadata + CWE
A03 Rules: 33/33 A03 injection rule YAML + metadata + CWE + OWASP 2025
A04 Rules: 17/17 A04 insecure design rule YAML + metadata + CWE
A05 Rules: 18/18 A05 security misconfiguration rule YAML + metadata + CWE
A06 Rules: 17/17 A06 vulnerable components rule YAML + metadata + CWE
A07 Rules: 18/18 A07 authentication failures rule YAML + metadata + CWE
A08 Rules: 16/16 A08 integrity failures rule YAML + metadata + CWE
A09 Rules: 28/28 A09 logging rule YAML + metadata + CWE + OWASP 2025
A10 Rules: 31/31 A10 SSRF + exception handling rules + OWASP 2025
ZAP Modes: 34/34 mode parsing + timeout + Docker commands + fixtures
NCSA Validator: 28/28 script structure + header checks + TLS 1.3 + output format
MCP Compare: 22/22 compare + compliance_status + suggest_fix tools
DAST Live: 0/0 conditional (requires DAST_TARGET env var)
Nuclei Integration: 22/22 Nuclei fixture + normalizer + dispatcher
PDPA Mapping: 17/17 PDPA CWE mappings + structure + coverage
SOC 2 Mapping: 17/17 SOC 2 Trust Service Criteria mappings
ISO 27001 Mapping: 17/17 ISO 27001 Annex A control mappings
SLSA Skill: 15/15 SLSA provenance assessment skill
VEX Formatter: 20/20 CycloneDX + OpenVEX output format
TruffleHog: 21/21 TruffleHog fixture + normalizer + dispatcher
Secret Verifier: 18/18 secret validity checking + provider verification
Formatters: 29/29 SARIF + JSON + Markdown + HTML + CSV + PDF formatter validation
Runner: 28/28 job-dispatcher + result-collector + Docker orchestration
Version Bump: 17/17 version-bump.sh script tests
CI Adapter: 25/25 CI platform detection + adapter functions
CI Templates: 65/65 GitHub Actions + GitLab CI template validation
Release: 12/12 release checklist script tests
Scan DB: 33/33 SQLite scan history database + 7 subcommands + OWASP enrichment + compliance
Pipeline Engine: 25/25 DAG pipeline engine + topological sort + cycle detection
K8s Scan: 23/23 K8s skill + rules + kube-bench + normalizer integration
GraphQL Scan: 34/34 GraphQL skill + rules + Nuclei templates + normalizer + metadata
Dashboard: 26/26 dashboard generator + template + data injection + special character regression
--------------------------------------------------------------
Total: 1296+ checks passed (42 suites)
```
### QA 历史
| Round | Score | Version | 重点关注 |
| ----- | --------- | ------- | --------------------------- |
| QA 1 | 39/54 | v2.0.0 | 初始综合审计 |
| QA 2 | 45/54 | v2.0.1 | Null 安全 + CWE 覆盖 |
| QA 3 | 48/54 | v2.0.2 | 合规映射缺口 |
| QA 4 | 50/54 | v2.1.0 | 安全修复 + RBAC |
| QA 5 | 51/54 | v2.2.0 | 框架修复 |
| QA 6 | 52/54 | v2.2.0 | 测试加固 |
| QA 7 | 53/54 | v2.3.0 | NCSA 合规 |
| QA 8 | **54/54** | v2.4.0 | 实现全覆盖 |
### 本地运行测试
```
# Run all suites
for f in tests/validate-plugin.sh tests/test-*.sh; do bash "$f"; done
# Or individually
bash tests/validate-plugin.sh # 258 structural checks
bash tests/test-normalizer.sh # 41 normalizer unit tests
bash tests/test-mcp-server.sh # 30 MCP server tests
bash tests/test-mcp-handlers.sh # 37 MCP handler logic tests
bash tests/test-hooks.sh # 27 hook tests
bash tests/test-dedup.sh # 15 dedup tests
bash tests/test-auto-fix.sh # 37 auto-fix skill tests
bash tests/test-dast-integration.sh # 22 DAST integration tests
bash tests/test-mcp-integration.sh # 38 MCP Docker integration tests
bash tests/test-a01-rules.sh # 30 A01 access control rules tests
bash tests/test-a02-rules.sh # 17 A02 cryptographic failures tests
bash tests/test-a03-rules.sh # 33 A03 injection rules tests
bash tests/test-a04-rules.sh # 17 A04 insecure design tests
bash tests/test-a05-rules.sh # 18 A05 security misconfiguration tests
bash tests/test-a09-rules.sh # 28 A09 custom rules tests
bash tests/test-a10-rules.sh # 31 A10 SSRF + exception handling tests
bash tests/test-mcp-compare.sh # 22 MCP compare tests
bash tests/test-zap-modes.sh # 34 ZAP multi-mode tests
bash tests/test-ncsa-validator.sh # 28 NCSA validator tests
bash tests/test-nuclei-integration.sh # 22 Nuclei DAST integration tests
bash tests/test-pdpa-mapping.sh # 17 PDPA mapping tests
bash tests/test-dast-live.sh # conditional (needs DAST_TARGET)
bash tests/test-formatters.sh # 29 formatter tests
bash tests/test-runner.sh # 28 runner tests
bash tests/test-version-bump.sh # 17 version bump tests
bash tests/test-ci-adapter.sh # 25 CI adapter tests
bash tests/test-ci-templates.sh # 65 CI template tests
bash tests/test-release.sh # 12 release checklist tests
```
## ROI 与商业价值
### 开发成本对比
| Metric | 手动开发 | Claude Code (实际) | 节省 |
| -------------- | ---------------------- | ------------------------------ | ----------- |
| **时长** | 40 人天 (2 个月) | 2.4 天 (~19 小时) | 快 133 倍 |
| **成本** | 320,000 THB | 3,100 THB | 省 99% |
| **ROI** | — | **10,222%** | — |
| **盈亏平衡点** | — | 节省 3.1 小时的手动工作 | — |
### 年 TCO 分析
| Cost Component | 传统团队 | AI 辅助 | 节省 |
| ------------------- | ----------------- | -------------- | ------------------------- |
| 初始开发 | 320,000 THB | 3,100 THB | 316,900 THB |
| 年度维护 | 384,000 THB/yr | 6,000 THB/yr | 378,000 THB/yr |
| **3 年总计** | **1,304,000 THB** | **93,700 THB** | **1,210,300 THB (92.8%)** |
### 交付价值
| 交付物 | 数量 |
| ---------------------------- | -------------------------------------------------------------------------------------------------------- |
| AI Agent | 18 个 (完全配置了路由 + 委派) |
| 安全技能 | 16 项 (10 项扫描 + 6 项编排) |
| Docker 工具集成 | 11 个 (Semgrep, ZAP, Nuclei, Grype, Trivy, Checkov, GitLeaks, Syft, TruffleHog, kube-bench, Nuclei-GraphQL) |
| MCP 工具 | 10 个 (scan, results, gate, compliance, status, compare, compliance_status, suggest_fix, history, pipeline) |
| CWE 合规映射 | 跨 7 个框架的 488 个 |
| 自定义安全规则 | 84 条 (OWASP A01-A10 + K8s + GraphQL Semgrep 规则) |
| 自动化测试 | 跨 42 个套件的 1,296+ 项 |
| 参考文档 | 19 个领域知识文件 (每个约 500-800 行) |
| Hooks (实时保护) | 3 个 (session-start, scan-on-write, pre-commit-gate) |
| 输出格式化器 | 8 个 (SARIF, JSON, Markdown, HTML, PDF, CSV, VEX, Dashboard) |
## 与替代方案对比
| Feature | DevSecOps AI Team | GitHub Advanced Security | Snyk | SonarQube |
| ---------------------- | ----------------------------------- | ------------------------ | ---------------- | ------------ |
| **定价** | Free (MIT) | $49/user/mo | $52/user/mo+ | $150+/mo |
| **SAST** | Semgrep | CodeQL | Snyk Code | SonarQube |
| **DAST** | ZAP + Nuclei | — | — | — |
| **SCA** | Grype | Dependabot | Snyk Open Source | — |
| **Container** | Trivy | — | Snyk Container | — |
| **IaC** | Checkov | — | Snyk IaC | — |
| **Secrets** | GitLeaks + TruffleHog | Secret scanning | — | — |
| **SBOM** | Syft | — | — | — |
| **AI Agent** | 18 agents | — | — | — |
| **NLP 接口** | Natural language | — | — | — |
| **NCSA 合规** | Built-in | — | — | — |
| **离线/物理隔离** | Full support | Partial | — | Self-hosted |
| **数据隐私** | 100% local | Cloud | Cloud | Self-hosted |
| **自定义规则** | 84 条 (10 OWASP + K8s + GraphQL) | Custom CodeQL | — | Custom rules |
| **MCP 集成** | 10 tools | — | — | — |
## 项目结构
```
devsecops-ai-team/
+-- .claude-plugin/ # Plugin metadata (plugin.json, marketplace.json)
+-- .mcp.json # MCP server declaration
+-- .github/workflows/ # CI/CD (validate, security-scan, framework-review, release)
+-- ci-templates/ # CI templates (GitHub Actions + GitLab CI copy-paste)
+-- agents/ # 18 AI agents (4 subdirectories)
| +-- orchestrators/ # 3 orchestrator agents
| +-- specialists/ # 7 specialist agents
| +-- experts/ # 4 expert agents
| +-- core-team/ # 4 core team agents
+-- skills/ # 16 skill definitions (SKILL.md)
| +-- references/ # 19 domain knowledge files (~500-800 lines each)
+-- runner/ # Sidecar Runner (Dockerfile, compose, dispatcher, collector)
| +-- pipelines/ # DAG pipeline definitions (YAML)
| +-- pipeline-engine.sh # DAG execution engine with topological sort
| +-- nuclei-templates/ # Custom Nuclei templates (GraphQL)
+-- formatters/ # SARIF, Markdown, HTML, PDF, CSV, VEX, JSON normalizer, dedup, dashboard
+-- mcp/ # MCP server -- 10 tools
| +-- server.mjs # ESM module, stdio transport
| +-- package.json # @modelcontextprotocol/sdk + zod
+-- mappings/ # CWE->OWASP, CWE->NIST, CWE->MITRE, CWE->NCSA, CWE->PDPA, CWE->SOC2, CWE->ISO27001, severity policy
+-- rules/ # Custom Semgrep rules (A01-A10, K8s, GraphQL) — 84 rules
+-- templates/ # Report templates (HTML, Markdown, dashboard.html)
+-- hooks/ # 3 hooks (session-start, scan-on-write, pre-commit-gate)
+-- scripts/ # install-runner, install-rules, check-prerequisites, NCSA validator, scan-db.sh
+-- tests/ # 1,296+ tests across 42 suites
+-- docs/ # INSTALL, TROUBLESHOOTING, AGENT-CATALOG, RUNBOOK, MANDAY
+-- examples/ # Rules, policies, DOMAIN.md, Semgrep rules
+-- frameworks.json # 19 tracked security frameworks with version info
```
## 文档
| Document | 内容 |
| --------------------------------------------------------------- | -------------------------------------------------- |
| [**Wiki**](https://github.com/pitimon/devsecops-ai-team/wiki) | 包含 ASCII 图表的综合文档 |
| [INSTALL.md](docs/INSTALL.md) | 标准、手动、离线、MCP 安装方法 |
| [AGENT-CATALOG.md](docs/AGENT-CATALOG.md) | 18 个 agents 的详细信息,包含 routing cues + triggers |
| [TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) | 常见问题排查 (8 个场景) |
| [FRAMEWORK-UPDATE-RUNBOOK.md](docs/FRAMEWORK-UPDATE-RUNBOOK.md) | 框架版本更新步骤 |
| [MANDAY-ESTIMATION.md](docs/MANDAY-ESTIMATION.md) | ROI 分析 + 成本对比 (10,222% ROI) |
| [CLAUDE.md](CLAUDE.md) | 架构 + 贡献指南 |
| [CHANGELOG.md](CHANGELOG.md) | 版本历史 (v1.0.0 → v3.0.3) |
| [SECURITY.md](SECURITY.md) | 漏洞报告策略 |
## 双语输出 — 泰语 + 英语
所有输出使用 **泰语文本 + 英语技术术语**:
```
## Scan Results
พบช่องโหว่ SQL Injection ในไฟล์ `src/api/users.py` บรรทัด 45
ความรุนแรง: HIGH (CWE-89, OWASP A03:2021)
คำแนะนำ: ใช้ parameterized queries แทน string concatenation
```
## Governance 集成
此插件设计为可与 [claude-governance](https://github.com/pitimon/claude-governance) 完美配合:
```
claude-governance (base) devsecops-ai-team (extends)
+-- Pre-commit checks +-- + Secret scan (GitLeaks)
+-- DOMAIN.md validation +-- + SAST quick-check (Semgrep)
+-- Conventional commits +-- + Pre-commit security gate
+-- Test coverage >= 80% +-- + Full pipeline scan results
+-- Architecture fitness +-- + Container/IaC/SCA checks
```
当同时安装这两个插件时 — hooks 将协同工作 (叠加式, 不冲突)
## 需求
| Requirement | 最低 | 推荐 | 备注 |
| -------------- | ------- | ----------- | ----------------------- |
| Docker Engine | 20.10+ | 25.0+ | 所有扫描必需 |
| Docker Compose | v2.0+ | v2.24+ | Full mode 必需 |
| Node.js | 18+ | 20+ | MCP server 必需 |
| Python | 3.8+ | 3.12+ | 格式化器必需 |
| Disk Space | 2 GB | 5 GB | Docker 镜像 |
| Claude Code | Latest | Latest | |
## 贡献
1. Fork 仓库
2. 创建功能分支: `git checkout -b feat/my-feature`
3. 遵循 [Conventional Commits](https://www.conventionalcommits.org/): `feat:`, `fix:`, `docs:`, 等
4. 运行验证: `bash tests/validate-plugin.sh`
5. 运行所有测试: `for f in tests/validate-plugin.sh tests/test-*.sh; do bash "$f"; done`
6. 提交 Pull Request
详情请参阅 [CLAUDE.md](CLAUDE.md)
## 路线图
| Version | Status | Theme | Key Features |
| ------- | ----------- | --------------- | ---------------------------------------------------------------- |
| v1.0.0 | Released | Foundation | 18 agents, 12 skills, 7 tools, compliance mappings |
| v2.0.0 | Released | MCP & Quality | MCP server, orchestration, dedup, smart detection |
| v2.1.0 | Released | Security & RBAC | 3 security fixes, RBAC gate, Zod validation |
| v2.2.0 | Released | Remediation | Framework-aware fixes (Django/React/Express/Spring) |
| v2.3.0 | Released | Automation | /auto-fix skill, NCSA compliance, integration tests |
| v2.4.0 | Released | Detection | A09 custom rules, ZAP multi-mode, NCSA validator |
| v2.5.0 | Released | Rules & MCP | 33 rules (A01/A03/A09/A10), 3 MCP tools, PDF/CSV |
| v2.6.x | Released | CI/CD | GitHub Actions, GitLab CI, SARIF per-tool, MCP bundle, tech debt |
| v2.7.0 | Released | OWASP 2025 | Dual mapping, 53 rules, Nuclei, NCSA 1.0, PDPA |
| v2.8.0 | Released | Supply Chain | SLSA, VEX, 10/10 OWASP rules, SOC 2, ISO 27001, TruffleHog |
| v3.0.3 | **Current** | Platform | SQLite DB, DAG pipeline, dashboard, K8s scan, GraphQL scan |
## 许可证
MIT License — 详见 [LICENSE](LICENSE)
DevSecOps AI Team — Claude Code 企业安全插件
18 AI Agents | 16 Skills | 11 Tools | 10 MCP Tools | 8 Output Formats | 488 CWE Mappings | OWASP 10/10
Built with Claude Code | Powered by Open Source Security Tools
GitHub |
Wiki |
Releases |
Issues