# Configuration Security Analysis Script $services = @( 'shop-recycle-account', 'shop-recycle-agent-pc-web', 'shop-recycle-async-web', 'shop-recycle-customer-wechat-web', 'shop-recycle-data-statistics', 'shop-recycle-dealdata-service', 'shop-recycle-dispatcher', 'shop-recycle-erp-pc-web', 'shop-recycle-gateway', 'shop-recycle-gateway-out', 'shop-recycle-gateway-out-upgrade', 'shop-recycle-import-web', 'shop-recycle-login-center', 'shop-recycle-marketer-pc-web', 'shop-recycle-merchant', 'shop-recycle-merchant-pc-web', 'shop-recycle-merchant-wechat-web', 'shop-recycle-msg', 'shop-recycle-order-center', 'shop-recycle-order-search', 'shop-recycle-oss-web', 'shop-recycle-out-web', 'shop-recycle-payment', 'shop-recycle-payment-web', 'shop-recycle-pis', 'shop-recycle-platform', 'shop-recycle-platform-pc-web', 'shop-recycle-sche', 'shop-recycle-store', 'shop-recycle-store-pc-web', 'shop-recycle-store-wechat-web', 'shop-recycle-wechat', 'shop-recycle-wechat-web', 'shop-recycle-ws-web' ) $basePath = "d:\coding-area\devops\helm\conf" # Define sensitive information patterns $sensitivePatterns = @{ 'database_password' = @( '^\s*password\s*:\s*(?!null|"")', '^\s*jdbc-password\s*:\s*', '^\s*datasource.*password\s*:\s*' ) 'database_username' = @( '^\s*user(name)?\s*:\s*(?!null|"")', '^\s*jdbc-user(name)?\s*:\s*' ) 'database_host' = @( '^\s*(host|server|url)\s*:\s*(?!null|"")', '^\s*jdbc-url\s*:\s*' ) 'redis_password' = @( '^\s*redis.*password\s*:\s*(?!null|"")', '^\s*spring\.redis\.password\s*:\s*' ) 'rabbitmq_password' = @( '^\s*rabbitmq.*password\s*:\s*(?!null|"")', '^\s*spring\.rabbitmq\.password\s*:\s*' ) 'wechat_app_id' = @( '^\s*(app[_-]?id|appid|wechat[_-]?id)\s*:\s*(?!null|"")', 'wechat.*app[_-]?id\s*:\s*' ) 'wechat_app_secret' = @( '^\s*(app[_-]?secret|secret|wechat[_-]?secret)\s*:\s*(?!null|"")', 'wechat.*secret\s*:\s*' ) 'mongodb_password' = @( '^\s*mongodb.*password\s*:\s*(?!null|"")', '^\s*spring\.data\.mongodb\.password\s*:\s*' ) 'mongodb_username' = @( '^\s*mongodb.*user(name)?\s*:\s*(?!null|"")', '^\s*spring\.data\.mongodb\.user(name)?\s*:\s*' ) 'nacos_username' = @( '^\s*nacos.*user(name)?\s*:\s*(?!null|"")', 'nacos\.authentication\.user(name)?\s*:\s*' ) 'nacos_password' = @( '^\s*nacos.*password\s*:\s*(?!null|"")', 'nacos\.authentication\.password\s*:\s*' ) 'seata_password' = @( '^\s*seata.*password\s*:\s*(?!null|"")', 'seata.*password\s*:\s*' ) 'api_key' = @( '^\s*(api[_-]?key|key)\s*:\s*(?!null|"")', 'secret[_-]?key\s*:\s*' ) 'token' = @( '^\s*token\s*:\s*(?!null|"")', '^\s*access[_-]?token\s*:\s*' ) } $analysisResults = @() $sensitiveInfoSummary = @{} foreach ($service in $services) { $ymlPath = "$basePath\$service\conf\application.yml" if (Test-Path $ymlPath) { $content = Get-Content $ymlPath -Raw $lines = $content -split "`n" $detectedSensitiveInfo = @{} $sensitiveFields = @() foreach ($line in $lines) { # Skip empty lines and comments if ($line.Trim() -eq '' -or $line.TrimStart().StartsWith('#')) { continue } # Check each sensitive information pattern foreach ($category in $sensitivePatterns.Keys) { $patterns = $sensitivePatterns[$category] foreach ($pattern in $patterns) { if ($line -match $pattern) { # Ensure this line is not a comment if (-not $line.TrimStart().StartsWith('#')) { if (-not $detectedSensitiveInfo.ContainsKey($category)) { $detectedSensitiveInfo[$category] = @() } $fieldName = ($line -split ':')[0].Trim() $detectedSensitiveInfo[$category] += $fieldName $sensitiveFields += $fieldName } } } } } $needsSecret = $detectedSensitiveInfo.Count -gt 0 $result = [PSCustomObject]@{ Service = $service NeedsSecret = $needsSecret SensitiveTypes = @($detectedSensitiveInfo.Keys) SensitiveFields = ($sensitiveFields | Select-Object -Unique) FieldCount = ($sensitiveFields | Select-Object -Unique).Count } $analysisResults += $result # Collect statistics for sensitive information types foreach ($type in $detectedSensitiveInfo.Keys) { if (-not $sensitiveInfoSummary.ContainsKey($type)) { $sensitiveInfoSummary[$type] = 0 } $sensitiveInfoSummary[$type]++ } } } # Output results Write-Host "========== SERVICE CONFIGURATION ANALYSIS REPORT ==========" -ForegroundColor Cyan Write-Host "" # Output each service foreach ($result in $analysisResults) { Write-Host "Service Name: $($result.Service)" -ForegroundColor Yellow $needsSecretStr = if($result.NeedsSecret) { "YES" } else { "NO" } $color = if($result.NeedsSecret) { 'Red' } else { 'Green' } Write-Host "Requires Secret: $needsSecretStr" -ForegroundColor $color if ($result.NeedsSecret) { Write-Host "Sensitive Info Types: $($result.SensitiveTypes -join ', ')" Write-Host "Sensitive Fields: $($result.SensitiveFields -join ', ')" Write-Host "Field Count: $($result.FieldCount)" } Write-Host "" } # Summary statistics Write-Host "========== SUMMARY REPORT ==========" -ForegroundColor Cyan $needsSecretCount = ($analysisResults | Where-Object { $_.NeedsSecret }).Count Write-Host "Total Services: $($services.Count)" Write-Host "Services Requiring Secret: $needsSecretCount" Write-Host "Services without Sensitive Info: $($services.Count - $needsSecretCount)" Write-Host "" Write-Host "========== SENSITIVE INFO TYPE STATISTICS ==========" -ForegroundColor Cyan foreach ($type in ($sensitiveInfoSummary.Keys | Sort-Object)) { Write-Host "$type : $($sensitiveInfoSummary[$type]) services" } Write-Host "" Write-Host "========== DETAILED ANALYSIS RESULTS (JSON FORMAT) ==========" -ForegroundColor Cyan $jsonOutput = $analysisResults | ConvertTo-Json Write-Host $jsonOutput # Save to file $outputPath = "d:\coding-area\devops\helm\config-analysis-report.json" $analysisResults | ConvertTo-Json | Out-File $outputPath -Encoding UTF8 Write-Host "" Write-Host "Detailed report saved to: $outputPath" -ForegroundColor Green