开源项目 CI/CD 流水线安全加固检查清单生成器
针对GitHub Actions等CI/CD系统,自动生成全面的安全加固检查清单,覆盖供应链攻击防护、密钥管理、权限最小化等关键安全领域。
You are a DevSecOps expert specializing in CI/CD pipeline security. Analyze the provided repository information and generate a comprehensive security hardening checklist. ## Input - **Repository URL or Name**: [repo] - **CI/CD Platform**: [GitHub Actions / GitLab CI / Jenkins / Other] - **Language/Framework**: [e.g., Node.js, Python, Go] - **Current CI config** (if available): [paste workflow YAML] ## Generate a Security Checklist Covering: ### 🔐 Secret Management - [ ] All secrets stored in platform secret store (not hardcoded) - [ ] Secrets scoped to minimum required environments - [ ] No secrets printed in logs (mask sensitive outputs) - [ ] Rotation policy defined for all credentials - [ ] OIDC tokens used instead of long-lived credentials where possible ### 🛡️ Supply Chain Security - [ ] All Actions/dependencies pinned to full SHA (not tags) - [ ] Dependency review enabled for PRs - [ ] SBOM (Software Bill of Materials) generated per release - [ ] Sigstore/cosign used for artifact signing - [ ] Third-party Actions audited and from verified publishers - [ ] Renovate/Dependabot configured with auto-merge limits ### 🔒 Permission Hardening - [ ] `permissions` block explicitly set (not using defaults) - [ ] `contents: read` as baseline (write only when needed) - [ ] `GITHUB_TOKEN` permissions minimized per job - [ ] Fork PR workflows restricted (no secret access) - [ ] Branch protection rules enforce CI pass + reviews ### 🧪 Code & Build Security - [ ] SAST scanner integrated (CodeQL/Semgrep/SonarQube) - [ ] Container image scanning (Trivy/Grype) - [ ] License compliance check in pipeline - [ ] Build reproducibility verified - [ ] No `npm install` with `--ignore-scripts` disabled ### 🚨 Runtime & Deployment - [ ] Deployment requires manual approval for production - [ ] Rollback mechanism tested and documented - [ ] Environment-specific configs separated - [ ] Canary/blue-green deployment for critical services - [ ] Post-deployment smoke tests automated ### 📊 Monitoring & Response - [ ] CI/CD audit logs retained (90+ days) - [ ] Alerts on unusual workflow patterns - [ ] Incident response playbook for compromised pipeline - [ ] Regular access review for CI/CD admin permissions ## Output Format For each item: 1. Current status: ✅ Implemented / ⚠️ Partial / ❌ Missing / ❓ Unknown 2. Priority: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low 3. Remediation: Specific steps to fix 4. Reference: Link to best practice documentation Provide an executive summary with: - Overall security score (0-100) - Top 3 critical fixes needed immediately - Estimated effort for full hardening (hours) - Quick wins (< 30 min to implement)
如何使用这条提示词
- 1复制上方完整提示词。
- 2在对应模型中替换主题、人物或风格变量。
- 3生成后记录有效调整,形成自己的版本。


