wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/kali-scan-scope-approval.snapshot.json
Your Name 9e15fd08b3
All checks were successful
CD Pipeline / tests (push) Successful in 1m39s
Details
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m19s
Details
CD Pipeline / post-deploy-checks (push) Successful in 2m11s
Details
feat(web): land iwooos security posture surfaces
2026-05-25 20:35:52 +08:00

287 lines
9.1 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "kali_scan_scope_approval_v1",
"status": "draft_waiting_approval",
"date": "2026-05-13",
"source_host": {
"asset_key": "host:kali-112",
"ip": "192.168.0.112",
"role": "Kali 資安感測與掃描 API 主機"
},
"mode": "approval_only",
"scope_groups": [
{
"group_id": "kali_112_health",
"title": "Kali 112 health 與 scanner 狀態",
"default_mode": "observe",
"scan_level": "health_only",
"assets": [
{
"asset_key": "host:kali-112",
"target_type": "host",
"target": "192.168.0.112",
"environment": "infra",
"owner_team": "security-commander",
"allowed_scan_modes": [
"health_only",
"passive_inventory"
],
"approval_required": false,
"notes": "只允許 health / service / tool version 類觀測;不得啟動 active scan 或 /execute。"
}
]
},
{
"group_id": "dev_hosts_observe_only",
"title": "開發主機 111 / 168 observe-only 納管",
"default_mode": "observe",
"scan_level": "passive",
"assets": [
{
"asset_key": "host:dev-111",
"target_type": "host",
"target": "192.168.0.111",
"environment": "dev",
"owner_team": "dev-host-steward",
"allowed_scan_modes": [
"passive_inventory"
],
"approval_required": false,
"notes": "先納入資產地圖與 owner任何 credentialed scan、active scan、service hardening 都要另走 approval。"
},
{
"asset_key": "host:dev-168",
"target_type": "host",
"target": "192.168.0.168",
"environment": "dev",
"owner_team": "dev-host-steward",
"allowed_scan_modes": [
"passive_inventory"
],
"approval_required": false,
"notes": "先納入資產地圖與 owner不得把 dev host observation 直接變成 compliance blocker。"
}
]
},
{
"group_id": "core_runtime_hosts",
"title": "核心 runtime 主機健康與被動盤點",
"default_mode": "observe",
"scan_level": "passive",
"assets": [
{
"asset_key": "host:infra-110",
"target_type": "host",
"target": "192.168.0.110",
"environment": "infra",
"owner_team": "sre-security",
"allowed_scan_modes": [
"health_only",
"passive_inventory"
],
"approval_required": false,
"notes": "Gitea、Harbor、runner、monitoring 類控制面只做 read-only evidenceactive port scan 需另批。"
},
{
"asset_key": "host:k3s-120",
"target_type": "host",
"target": "192.168.0.120",
"environment": "prod",
"owner_team": "sre-security",
"allowed_scan_modes": [
"health_only",
"passive_inventory"
],
"approval_required": false,
"notes": "K3s node 初期只接既有 health / metadata evidence不改 RBAC 或 NetworkPolicy。"
},
{
"asset_key": "host:k3s-121",
"target_type": "host",
"target": "192.168.0.121",
"environment": "prod",
"owner_team": "sre-security",
"allowed_scan_modes": [
"health_only",
"passive_inventory"
],
"approval_required": false,
"notes": "K3s node 初期只接既有 health / metadata evidence不改 RBAC 或 NetworkPolicy。"
},
{
"asset_key": "host:data-ai-188",
"target_type": "host",
"target": "192.168.0.188",
"environment": "prod",
"owner_team": "sre-security",
"allowed_scan_modes": [
"health_only",
"passive_inventory"
],
"approval_required": false,
"notes": "DB、Redis、AI、SignOz、MinIO 類服務初期只做被動 evidence不做 credentialed scan。"
}
]
},
{
"group_id": "public_web_perimeter",
"title": "公開網站與 API 邊界",
"default_mode": "warn",
"scan_level": "safe_active",
"assets": [
{
"asset_key": "web:awoooi-public-domains",
"target_type": "website",
"target": "public_product_domains_from_service_endpoints",
"environment": "prod",
"owner_team": "web-perimeter",
"allowed_scan_modes": [
"tls_header_check",
"basic_crawl"
],
"approval_required": true,
"notes": "TLS/header/basic crawl 可以準備批准active DAST、fuzz、auth flow testing 必須另批。"
}
]
},
{
"group_id": "kali_execute_and_maintenance",
"title": "Kali /execute 與維護窗口",
"default_mode": "block_candidate",
"scan_level": "execute",
"assets": [
{
"asset_key": "tool:kali-scanner-execute",
"target_type": "tool",
"target": "kali-scanner:/execute",
"environment": "infra",
"owner_team": "security-commander",
"allowed_scan_modes": [
"blocked"
],
"approval_required": true,
"notes": "AwoooP 不得直接接此 endpoint若未來保留必須獨立 high-risk approval、allowlist、audit、disable gate。"
},
{
"asset_key": "host:kali-112-maintenance",
"target_type": "host",
"target": "192.168.0.112",
"environment": "infra",
"owner_team": "security-commander",
"allowed_scan_modes": [
"full_upgrade_reboot"
],
"approval_required": true,
"notes": "Kali rolling full-upgrade / autoremove / reboot 必須排維護窗口、snapshot、rollback 與 post-health check。"
}
]
}
],
"approval_gates": [
{
"gate_id": "kali-safe-web-crawl-approval-20260513",
"requested_action": "run_safe_active_scan",
"risk": "MEDIUM",
"required_reviewers": [
"security-commander",
"human-owner"
],
"blocked_until_approved": true,
"evidence_refs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/KALI-SECURITY-MESH-BLUEPRINT.md"
]
},
{
"gate_id": "kali-credentialed-scan-approval-20260513",
"requested_action": "run_credentialed_scan",
"risk": "HIGH",
"required_reviewers": [
"security-commander",
"vuln-verifier",
"human-owner"
],
"blocked_until_approved": true,
"evidence_refs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
]
},
{
"gate_id": "kali-execute-endpoint-approval-20260513",
"requested_action": "call_execute_endpoint",
"risk": "CRITICAL",
"required_reviewers": [
"critic",
"security-commander",
"human-owner"
],
"blocked_until_approved": true,
"evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
]
},
{
"gate_id": "kali-finding-runtime-ingestion-approval-20260513",
"requested_action": "ingest_findings_to_awooop_runtime",
"risk": "MEDIUM",
"required_reviewers": [
"security-commander",
"human-owner"
],
"blocked_until_approved": true,
"evidence_refs": [
"docs/security/SECURITY-FINDING-CONTRACT.md",
"docs/security/security-finding-kali-sample.snapshot.json"
]
},
{
"gate_id": "kali-full-upgrade-reboot-approval-20260513",
"requested_action": "run_full_upgrade_reboot",
"risk": "HIGH",
"required_reviewers": [
"security-commander",
"human-owner"
],
"blocked_until_approved": true,
"evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md"
]
}
],
"finding_ingestion_policy": {
"finding_contract": "security_finding_v1",
"consumption_mode": "mirror_only",
"redaction_required": true,
"runtime_ingestion_status": "not_enabled_contract_only",
"storage_landing": [
"asset_inventory.metadata",
"asset_compliance_snapshot",
"asset_change_event",
"AwoooP Runtime State / Channel Event / Audit mirror"
],
"awooop_allowed_actions": [
"mirror_redacted_finding",
"display_scope_group",
"display_approval_gate",
"create_approval_candidate"
],
"awooop_forbidden_actions": [
"start_scan",
"call_execute_endpoint",
"store_secret_value",
"auto_patch",
"auto_block_deploy"
]
},
"still_forbidden": [
"run_active_scan_without_scope_approval",
"run_credentialed_scan_without_approval",
"call_execute_endpoint_from_awooop_runtime",
"store_api_key_password_token_cookie_or_private_key",
"change_firewall_networkpolicy_rbac_or_route",
"full_upgrade_autoremove_or_reboot_without_maintenance_window",
"turn_low_medium_observations_into_blocking_gates"
]
}
Reference in New Issue View Git Blame Copy Permalink