Files

T

koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건)

이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 12:24:15 +09:00

6.7 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, inferred_by

title

AI Code Review + DevSecOps

📌 한 줄 통찰

Shift-left security. 매 SDLC 의 early 의 SAST + AI review + human. 매 mechanical 의 AI, 매 architectural 의 human.

📖 핵심

Hybrid model

AI: pattern matching, syntax, known CVE.
Human: business logic, architecture, novel attack.
Together: 매 layer 의 different defect class.

Shift-left phases

IDE (real-time)

매 keystroke 의 lint / type.
Cursor / Copilot 의 inline.

Pre-commit (local)

Husky + lint-staged.
매 dev 의 first defense.

PR (automated)

CodeRabbit / Greptile.
Snyk / Sonar SAST.
매 dependency check.

CI deep

Container scan.
Dependency vulnerability.
License check.

Pre-deploy

Integration security test.
DAST (runtime).

Production

WAF.
RASP (runtime application self-protection).
매 alert / incident.

매 OWASP Top 10 (2021)

Broken Access Control.
Cryptographic Failures.
Injection (SQL, XSS, Command).
Insecure Design.
Security Misconfiguration.
Vulnerable Components.
Authentication Failures.
Software / Data Integrity.
Logging / Monitoring Failures.
SSRF.

→ 매 SAST 의 mostly cover. 매 #4 (insecure design) = human.

Tool stack (2026)

IDE

Cursor (AI-native).
Snyk Code IDE plugin.
GitHub Copilot Chat.

CI / PR

CodeRabbit (LLM review).
Snyk Code (SAST).
Sonar (quality + security).
Semgrep (custom pattern).
GitHub Advanced Security (CodeQL).

Container

Trivy (image scan).
Snyk Container.
Docker Scout.

Dependency

Dependabot.
Renovate.
Snyk Open Source.

Secret

TruffleHog.
GitGuardian.
매 pre-commit hook.

DAST

OWASP ZAP.
Burp Suite.

매 quality gate

PR gate

매 high severity 의 fail.
매 critical CVE 의 block.
매 secret 의 detection 의 block.

Pre-deploy gate

매 manual approve (high-risk).
매 automated test 의 pass.

Compliance

SOC 2

매 audit log.
매 access control.
매 incident response.

PCI DSS (payment)

매 encryption.
매 segmentation.

매 data minimization.
매 consent.

HIPAA (health)

매 PHI handling.

Vibe coding 의 specific risk

매 AI-generated code 의 security blind spot.
매 prompt injection 의 reproduce.
매 hardcoded secret (LLM 의 example).
매 outdated security practice.

💻 Code

CI workflow

# .github/workflows/devsecops.yml
on: [pull_request, push]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      
      # Secret scan
      - uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
      
      # SAST
      - uses: snyk/actions/setup@master
      - run: snyk code test --severity-threshold=high
      
      # Dependency
      - run: snyk test --severity-threshold=high
      
      # Container
      - run: docker build -t app .
      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'app'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
      
      # SARIF upload (GitHub Security tab)
      - uses: github/codeql-action/upload-sarif@v3

Custom Semgrep rule (prompt injection)

# .semgrep/prompt-injection.yaml
rules:
  - id: llm-prompt-concat
    pattern-either:
      - pattern: |
          $LLM.complete($PROMPT + $USER_INPUT)
      - pattern: |
          $LLM.complete(`...${$USER_INPUT}...`)
    message: |
      Prompt injection: user input concatenated. Use template / sanitize.
    severity: ERROR
    languages: [python, javascript, typescript]

Pre-commit hook (secret + lint)

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
      - id: check-yaml
  - repo: local
    hooks:
      - id: lint
        name: lint
        entry: npm run lint
        language: system

SARIF (security findings format)

{
  "version": "2.1.0",
  "runs": [{
    "tool": { "driver": { "name": "MyScanner" } },
    "results": [{
      "ruleId": "sql-injection",
      "level": "error",
      "message": { "text": "SQL injection in users.ts:42" },
      "locations": [{
        "physicalLocation": {
          "artifactLocation": { "uri": "src/users.ts" },
          "region": { "startLine": 42 }
        }
      }]
    }]
  }]
}

Renovate (dep update + security)

// renovate.json
{
  "extends": ["config:recommended", ":automergePatch"],
  "vulnerabilityAlerts": {
    "labels": ["security"],
    "automerge": true
  }
}

🤔 결정 기준

Risk	Tool layer
Low (lint, style)	IDE / pre-commit
Medium (SAST)	PR gate (Snyk / Sonar)
High (CVE, secret)	PR block + alert
Critical (zero-day)	Manual + emergency patch
AI-generated code	Enhanced review

기본값: IDE + PR + pre-deploy 의 layered. 매 gate 의 different threshold.

🔗 Graph

부모: CI/CD Pipeline & IDE Security Integration · AI_코드_리뷰 · Security
변형: SAST · 보안 및 시스템 신뢰성 표준 · Shift-Left-Security
응용: CodeRabbit · Sonar · Semgrep
매 OWASP: OWASP Top 10
Adjacent: Dependency-Update · Secret-Detection

🤖 LLM 활용

언제: 매 production system 의 security strategy. 매 vibe coding 의 review. 언제 X: 매 throwaway script. Specific compliance audit (auditor).

❌ 안티패턴

AI 만 의존: 매 architecture flaw miss.
Manual 만: 매 mechanical pattern miss.
No quality gate: 매 vulnerability 의 ship.
Generic alert (no severity): alert fatigue.
No secret scan + AI 의 hardcode: leak.

🧪 검증 / 중복

Verified.
신뢰도 B.
Related: AI_코드_리뷰 · AI-Code-Assurance · OWASP-API-Top-10.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-09	Manual cleanup — shift-left + tool stack + code + 결정

6.7 KiB Raw Blame History