
























11// Covers baseline config security audit findings.
22import { describe, expect, it } from "vitest";
3+import {
4+onInternalDiagnosticEvent,
5+resetDiagnosticEventsForTest,
6+type DiagnosticSecurityEvent,
7+} from "../infra/diagnostic-events.js";
38import { collectMinimalProfileOverrideFindings } from "./audit-extra.sync.js";
49import { collectElevatedFindings, runSecurityAudit } from "./audit.js";
51011+function captureSecurityEvents(): {
12+events: DiagnosticSecurityEvent[];
13+stop: () => void;
14+} {
15+const events: DiagnosticSecurityEvent[] = [];
16+const stop = onInternalDiagnosticEvent((event, metadata) => {
17+if (metadata.trusted && event.type === "security.event") {
18+events.push(event);
19+}
20+});
21+return { events, stop };
22+}
23+624describe("security audit config basics", () => {
725it("flags agent profile overrides when global tools.profile is minimal", () => {
826const findings = collectMinimalProfileOverrideFindings({
@@ -133,4 +151,52 @@ describe("security audit config basics", () => {
133151]),
134152);
135153});
154+155+it("emits a redacted security audit summary event", async () => {
156+resetDiagnosticEventsForTest();
157+const captured = captureSecurityEvents();
158+159+let report: Awaited<ReturnType<typeof runSecurityAudit>>;
160+try {
161+report = await runSecurityAudit({
162+config: {
163+logging: {
164+redactSensitive: "off",
165+},
166+},
167+sourceConfig: {},
168+env: {},
169+includeFilesystem: false,
170+includeChannelSecurity: false,
171+});
172+} finally {
173+captured.stop();
174+}
175+176+expect(report!.summary.warn).toBeGreaterThan(0);
177+const expectedSeverity = report!.summary.critical > 0 ? "critical" : "medium";
178+expect(captured.events).toHaveLength(1);
179+expect(captured.events[0]).toMatchObject({
180+category: "audit",
181+action: "security.audit.completed",
182+outcome: "failure",
183+severity: expectedSeverity,
184+actor: { kind: "operator" },
185+target: { kind: "config", name: "security.audit" },
186+policy: { id: "security.audit", decision: "not_applicable" },
187+control: { id: "security.audit", family: "authorization" },
188+attributes: {
189+critical_count: report!.summary.critical,
190+warn_count: report!.summary.warn,
191+info_count: report!.summary.info,
192+suppressed_count: 0,
193+deep: false,
194+include_filesystem: false,
195+include_channel_security: false,
196+},
197+});
198+const serialized = JSON.stringify(captured.events);
199+expect(serialized).not.toContain("redactSensitive");
200+expect(serialized).not.toContain("logs and status output");
201+});
136202});
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。