fix: P0问题修复 - JWT配置、安全扫描、备份、Runbook

P0 问题修复（按照 gap analysis）： 1. JWT密钥配置修复 - config.yaml 移除占位符，改为空字符串 - 添加测试验证 JWT_SECRET 环境变量覆盖功能 2. Docker 部署完善 - 添加 deploy.resources 限制（内存 512M，CPU 0.5） - 添加 healthcheck 健康检查 - 添加 restart: unless-stopped 重启策略 3. 安全扫描集成 - 创建 scripts/security/run-gosec.sh 安全扫描脚本 - 创建 scripts/security/workflow-template.yml CI工作流模板 - 运行 gosec 扫描发现 6 个 HIGH 级别整数溢出问题 4. 备份自动化 - 创建 scripts/backup/backup.sh 自动备份脚本 - 支持 SQLite 数据库和配置文件备份 - 支持备份验证、自动清理、恢复功能 5. Runbook 文档 - 创建 docs/runbooks/ 目录 - 添加 4 个核心 Runbook：服务启动、服务停止、备份恢复、日志分析 - 添加 README.md 索引文档
2026-04-08 22:31:43 +08:00
parent 1b96715b55
commit 3b0bcf0ff7
11 changed files with 1191 additions and 1 deletions
--- a/scripts/security/run-gosec.sh
+++ b/scripts/security/run-gosec.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Go 安全扫描脚本
+# 使用 gosec 对代码进行安全扫描
+#
+# 使用方法:
+#   ./scripts/security/run-gosec.sh           # 扫描所有代码
+#   ./scripts/security/run-gosec.sh ./internal # 扫描指定目录
+#
+# 依赖:
+#   go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+set -e
+
+# 颜色输出
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+SCAN_DIR="${1:-./...}"
+OUTPUT_FILE="gosec-report.json"
+
+echo -e "${YELLOW}Running gosec security scan...${NC}"
+
+# 检查 gosec 是否安装
+if ! command -v gosec &> /dev/null; then
+    echo -e "${RED}gosec not found. Installing...${NC}"
+    go install github.com/securego/gosec/v2/cmd/gosec@latest
+fi
+
+# 运行 gosec
+gosec -fmt json -out="${OUTPUT_FILE}" "${SCAN_DIR}"
+
+# 检查返回码
+RESULT=$?
+
+if [ $RESULT -eq 0 ]; then
+    echo -e "${GREEN}No issues found!${NC}"
+else
+    echo -e "${RED}Security issues detected!${NC}"
+    echo -e "${YELLOW}Report saved to: ${OUTPUT_FILE}${NC}"
+fi
+
+exit $RESULT
--- a/scripts/security/workflow-template.yml
+++ b/scripts/security/workflow-template.yml
@@ -0,0 +1,93 @@
+# Go 安全扫描工作流
+# 集成 gosec 安全扫描
+#
+# 使用方法:
+#   1. 复制此文件到 .github/workflows/security.yml
+#   2. 或适配到 Gitea Actions
+#   3. 或手动运行: ./scripts/security/run-gosec.sh
+
+name: Security Scan
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 2 * * *'  # 每周凌晨2点运行
+
+jobs:
+  gosec:
+    name: Go Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+      - name: Run gosec
+        run: |
+          gosec -fmt json -out=gosec-report.json ./...
+
+      - name: Upload security report
+        uses: actions/upload-artifact@v4
+        with:
+          name: gosec-report
+          path: gosec-report.json
+
+      - name: Display results
+        run: |
+          if [ -f gosec-report.json ]; then
+            echo "Security issues found:"
+            cat gosec-report.json | jq -r '.Results[] | "\(.Severity): \(.Details)"' 2>/dev/null || cat gosec-report.json
+          fi
+
+  govulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Run govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+
+  npm-audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend/admin
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/admin/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        run: npm audit --audit-level=moderate