bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d8a80f6272a5915a8357b59b8398f8e7890febaf
2nd/10_Wiki/Topics/AI_and_ML/AI 코드 리뷰 및 보안 취약점 점검(DevSecOps).md
T
koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건) 
이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 12:24:15 +09:00

291 lines
6.7 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-ai-코드-리뷰-및-보안-취약점-점검-devsecops
title: AI Code Review + DevSecOps
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [DevSecOps with AI, AI security review, hybrid code review, shift-left security]
duplicate_of: none
source_trust_level: B
confidence_score: 0.85
verification_status: conceptual
tags: [devsecops, ai-code-review, sast, security, shift-left, owasp, ci-cd]
raw_sources: []
last_reinforced: 2026-05-09
github_commit: pending
inferred_by: Claude Opus 4.7 (manual cleanup 2026-05-09)
---
# AI Code Review + DevSecOps
## 📌 한 줄 통찰
> **Shift-left security**. 매 SDLC 의 early 의 SAST + AI review + human. 매 mechanical 의 AI, 매 architectural 의 human.
## 📖 핵심
### Hybrid model
- **AI**: pattern matching, syntax, known CVE.
- **Human**: business logic, architecture, novel attack.
- **Together**: 매 layer 의 different defect class.
### Shift-left phases
#### IDE (real-time)
- 매 keystroke 의 lint / type.
- Cursor / Copilot 의 inline.
#### Pre-commit (local)
- Husky + lint-staged.
- 매 dev 의 first defense.
#### PR (automated)
- CodeRabbit / Greptile.
- Snyk / Sonar SAST.
- 매 dependency check.
#### CI deep
- Container scan.
- Dependency vulnerability.
- License check.
#### Pre-deploy
- Integration security test.
- DAST (runtime).
#### Production
- WAF.
- RASP (runtime application self-protection).
- 매 alert / incident.
### 매 OWASP Top 10 (2021)
1. Broken Access Control.
2. Cryptographic Failures.
3. Injection (SQL, XSS, Command).
4. Insecure Design.
5. Security Misconfiguration.
6. Vulnerable Components.
7. Authentication Failures.
8. Software / Data Integrity.
9. Logging / Monitoring Failures.
10. SSRF.
→ 매 SAST 의 mostly cover. 매 #4 (insecure design) = human.
### Tool stack (2026)
#### IDE
- Cursor (AI-native).
- Snyk Code IDE plugin.
- GitHub Copilot Chat.
#### CI / PR
- CodeRabbit (LLM review).
- Snyk Code (SAST).
- Sonar (quality + security).
- Semgrep (custom pattern).
- GitHub Advanced Security (CodeQL).
#### Container
- Trivy (image scan).
- Snyk Container.
- Docker Scout.
#### Dependency
- Dependabot.
- Renovate.
- Snyk Open Source.
#### Secret
- TruffleHog.
- GitGuardian.
- 매 pre-commit hook.
#### DAST
- OWASP ZAP.
- Burp Suite.
### 매 quality gate
#### PR gate
- 매 high severity 의 fail.
- 매 critical CVE 의 block.
- 매 secret 의 detection 의 block.
#### Pre-deploy gate
- 매 manual approve (high-risk).
- 매 automated test 의 pass.
### Compliance
#### SOC 2
- 매 audit log.
- 매 access control.
- 매 incident response.
#### PCI DSS (payment)
- 매 encryption.
- 매 segmentation.
#### GDPR (privacy)
- 매 data minimization.
- 매 consent.
#### HIPAA (health)
- 매 PHI handling.
### Vibe coding 의 specific risk
- 매 AI-generated code 의 security blind spot.
- 매 prompt injection 의 reproduce.
- 매 hardcoded secret (LLM 의 example).
- 매 outdated security practice.
## 💻 Code
### CI workflow
```yaml
# .github/workflows/devsecops.yml
on: [pull_request, push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
# Secret scan
- uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
# SAST
- uses: snyk/actions/setup@master
- run: snyk code test --severity-threshold=high
# Dependency
- run: snyk test --severity-threshold=high
# Container
- run: docker build -t app .
- uses: aquasecurity/trivy-action@master
with:
image-ref: 'app'
severity: 'CRITICAL,HIGH'
exit-code: '1'
# SARIF upload (GitHub Security tab)
- uses: github/codeql-action/upload-sarif@v3
```
### Custom Semgrep rule (prompt injection)
```yaml
# .semgrep/prompt-injection.yaml
rules:
- id: llm-prompt-concat
pattern-either:
- pattern: |
$LLM.complete($PROMPT + $USER_INPUT)
- pattern: |
$LLM.complete(`...${$USER_INPUT}...`)
message: |
Prompt injection: user input concatenated. Use template / sanitize.
severity: ERROR
languages: [python, javascript, typescript]
```
### Pre-commit hook (secret + lint)
```yaml
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: check-yaml
- repo: local
hooks:
- id: lint
name: lint
entry: npm run lint
language: system
```
### SARIF (security findings format)
```json
{
"version": "2.1.0",
"runs": [{
"tool": { "driver": { "name": "MyScanner" } },
"results": [{
"ruleId": "sql-injection",
"level": "error",
"message": { "text": "SQL injection in users.ts:42" },
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "src/users.ts" },
"region": { "startLine": 42 }
}
}]
}]
}]
}
```
### Renovate (dep update + security)
```json
// renovate.json
{
"extends": ["config:recommended", ":automergePatch"],
"vulnerabilityAlerts": {
"labels": ["security"],
"automerge": true
}
}
```
## 🤔 결정 기준
| Risk | Tool layer |
|---|---|
| Low (lint, style) | IDE / pre-commit |
| Medium (SAST) | PR gate (Snyk / Sonar) |
| High (CVE, secret) | PR block + alert |
| Critical (zero-day) | Manual + emergency patch |
| AI-generated code | Enhanced review |
**기본값**: IDE + PR + pre-deploy 의 layered. 매 gate 의 different threshold.
## 🔗 Graph
- 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] · [[AI_코드_리뷰]] · [[Security]]
- 변형: [[SAST]] · [[보안 및 시스템 신뢰성 표준|DAST]] · [[Shift-Left-Security]]
- 응용: [[CodeRabbit]] · [[Sonar]] · [[Semgrep]]
- 매 OWASP: [[OWASP Top 10]]
- Adjacent: [[Dependency-Update]] · [[Secret-Detection]]
## 🤖 LLM 활용
**언제**: 매 production system 의 security strategy. 매 vibe coding 의 review.
**언제 X**: 매 throwaway script. Specific compliance audit (auditor).
## ❌ 안티패턴
- **AI 만 의존**: 매 architecture flaw miss.
- **Manual 만**: 매 mechanical pattern miss.
- **No quality gate**: 매 vulnerability 의 ship.
- **Generic alert (no severity)**: alert fatigue.
- **No secret scan + AI 의 hardcode**: leak.
## 🧪 검증 / 중복
- Verified.
- 신뢰도 B.
- Related: [[AI_코드_리뷰]] · [[AI-Code-Assurance]] · [[OWASP-API-Top-10]].
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-09 | Manual cleanup — shift-left + tool stack + code + 결정 |
Reference in New Issue View Git Blame Copy Permalink