实现示例type File = { path: string; content: string }
const regexes = [
/AKIA[0-9A-Z]{16}/, // AWS Access Key
/ghp_[A-Za-z0-9]{36}/, // GitHub Token
/AIza[0-9A-Za-z\-_]{35}/, // Google API Key
]
function entropy(s: string): number {
const freq: Record<string, number> = {}
for (const ch of s) freq[ch] = (freq[ch] || 0) + 1
let H = 0
const n = s.length
for (const k of Object.keys(freq)) { const p = freq[k] / n; H += -p * Math.log2(p) }
return H
}
function suspicious(s: string, threshold = 4.0): boolean {
if (regexes.some(r => r.test(s))) return true
return entropy(s) >= threshold && /[A-Za-z0-9+/=]{24,}/.test(s)
}
function scan(files: File[]): { hits: { path: string; snippet: string }[] } {
const hits: { path: string; snippet: string }[] = []
for (const f of files) {
const lines = f.content.split(/\r?\n/)
for (const ln of lines) if (suspicious(ln)) { hits.push({ path: f.path, snippet: ln.slice(0, 200) }); break }
}
return { hits }
}
审计与运行治理提交前阻断命中项并输出修复建议;允许受控例外并设到期。审计记录包含文件路径与片段摘要;禁止将机密写入日志。
发表评论 取消回复