Update nexus: fix conflicts and sync local changes
This commit is contained in:
Shen Wei
@@ -1,64 +1,64 @@
|
||||
# Break-the-Build
|
||||
|
||||
## Definition
|
||||
"Break the Build" is a mechanism that stops the development process if security risks are too high until resolved.
|
||||
|
||||
## Concept
|
||||
当 CI/CD 管道中的安全扫描发现高风险问题时,自动阻止构建继续进行,直到安全问题得到修复。
|
||||
|
||||
## How It Works
|
||||
|
||||
### Trigger Conditions
|
||||
- SAST 发现高危漏洞
|
||||
- SCA 发现有漏洞的依赖
|
||||
- 机密信息泄露检测
|
||||
- 许可证合规违规
|
||||
|
||||
### Process Flow
|
||||
```
|
||||
代码提交 → 构建开始 → 安全扫描 →
|
||||
├─ 通过 → 继续部署
|
||||
└─ 失败 → 停止构建 → 通知团队 → 修复 → 重新提交
|
||||
```
|
||||
|
||||
## Implementation
|
||||
|
||||
### CI/CD Integration
|
||||
```yaml
|
||||
# GitLab CI Example
|
||||
security_scan:
|
||||
stage: test
|
||||
script:
|
||||
- sast-scan
|
||||
allow_failure: false # 阻止构建
|
||||
```
|
||||
|
||||
### Gatekeeping Strategy
|
||||
| 漏洞等级 | 默认策略 |
|
||||
|---------|---------|
|
||||
| Critical | 强制阻止 |
|
||||
| High | 阻止(可配置) |
|
||||
| Medium | 警告 |
|
||||
| Low | 忽略 |
|
||||
|
||||
## Benefits
|
||||
- 防止不安全代码进入生产环境
|
||||
- 强制开发者及时修复安全问题
|
||||
- 提高整体安全基线
|
||||
- 减少安全债务
|
||||
|
||||
## Best Practices
|
||||
1. 明确定义"阻塞"阈值
|
||||
2. 平衡安全与开发速度
|
||||
3. 提供清晰的错误信息
|
||||
4. 集成通知机制
|
||||
|
||||
## Related Concepts
|
||||
- [[DevSecOps]] — Break-the-Build 是其自动化组件
|
||||
- [[SAST]] — 触发条件来源
|
||||
- [[SCA]] — 触发条件来源
|
||||
- [[CI/CD Pipeline]] — 实施载体
|
||||
- [[Shift-Left-Security]] — 早期发现问题的策略
|
||||
|
||||
## Sources
|
||||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|
||||
# Break-the-Build
|
||||
|
||||
## Definition
|
||||
"Break the Build" is a mechanism that stops the development process if security risks are too high until resolved.
|
||||
|
||||
## Concept
|
||||
当 CI/CD 管道中的安全扫描发现高风险问题时,自动阻止构建继续进行,直到安全问题得到修复。
|
||||
|
||||
## How It Works
|
||||
|
||||
### Trigger Conditions
|
||||
- SAST 发现高危漏洞
|
||||
- SCA 发现有漏洞的依赖
|
||||
- 机密信息泄露检测
|
||||
- 许可证合规违规
|
||||
|
||||
### Process Flow
|
||||
```
|
||||
代码提交 → 构建开始 → 安全扫描 →
|
||||
├─ 通过 → 继续部署
|
||||
└─ 失败 → 停止构建 → 通知团队 → 修复 → 重新提交
|
||||
```
|
||||
|
||||
## Implementation
|
||||
|
||||
### CI/CD Integration
|
||||
```yaml
|
||||
# GitLab CI Example
|
||||
security_scan:
|
||||
stage: test
|
||||
script:
|
||||
- sast-scan
|
||||
allow_failure: false # 阻止构建
|
||||
```
|
||||
|
||||
### Gatekeeping Strategy
|
||||
| 漏洞等级 | 默认策略 |
|
||||
|---------|---------|
|
||||
| Critical | 强制阻止 |
|
||||
| High | 阻止(可配置) |
|
||||
| Medium | 警告 |
|
||||
| Low | 忽略 |
|
||||
|
||||
## Benefits
|
||||
- 防止不安全代码进入生产环境
|
||||
- 强制开发者及时修复安全问题
|
||||
- 提高整体安全基线
|
||||
- 减少安全债务
|
||||
|
||||
## Best Practices
|
||||
1. 明确定义"阻塞"阈值
|
||||
2. 平衡安全与开发速度
|
||||
3. 提供清晰的错误信息
|
||||
4. 集成通知机制
|
||||
|
||||
## Related Concepts
|
||||
- [[DevSecOps]] — Break-the-Build 是其自动化组件
|
||||
- [[SAST]] — 触发条件来源
|
||||
- [[SCA]] — 触发条件来源
|
||||
- [[CI/CD Pipeline]] — 实施载体
|
||||
- [[Shift-Left-Security]] — 早期发现问题的策略
|
||||
|
||||
## Sources
|
||||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|
||||
|
||||
Reference in New Issue
Block a user