[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-aws-repository-wide-security-scanner-matters-zh":3,"article-related-aws-repository-wide-security-scanner-matters-zh":31,"series-tools-cb68bb90-3638-4334-87c7-02580f59877a":84},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":23,"views":27,"created_at":28,"published_at":29,"topic_cluster_id":30},"cb68bb90-3638-4334-87c7-02580f59877a","aws-repository-wide-security-scanner-matters-zh","為什麼 AWS 的全倉庫安全掃描比更快的 SAST 更重要","\u003Cp data-speakable=\"summary\">\u003Ca href=\"\u002Ftag\u002Faws\">AWS\u003C\u002Fa> Security \u003Ca href=\"\u002Ftag\u002Fagent\">Agent\u003C\u002Fa> 的全倉庫掃描，比只追求更快的 pattern-based SAST 更能抓到真正危險的系統性漏洞。\u003C\u002Fp>\u003Cp>AWS 這次押對方向了：安全掃描的關鍵不是更快，而是先看懂整個倉庫，因為真正會傷到團隊的漏洞，多半不是單點語法錯誤，而是跨檔案、跨流程、跨信任邊界的設計失敗。\u003C\u002Fp>\u003Cp>在預覽說明裡，AWS 舉的例子都不是小題大作：一個驗證函式漏掉單引號，卻牽涉五組 regex profile；另一個 stored pr\u003Ca href=\"\u002Fnews\u002Fwhy-docker-microvm-sandboxes-ai-agents-zh\">oc\u003C\u002Fa>edure 直接繞過那層驗證；還有一個 XSS 問題，同一個檔案裡一條路徑用了 Encode.forHtml()，另一條卻沒用。這些都說明，光靠局部 pattern 去掃，常常只能看到表面症狀，看不到真正的攻擊面。\u003C\u002Fp>\u003Ch2>第一個論點\u003C\u002Fh2>\u003Cp>安全失敗通常是系統性的，不是局部的。現代應用最危險的地方，往往不是某一行少了 escape，而是某個假設只在半條路徑成立。AWS 提到的 HTML encoding 不一致，就是典型案例：同一個檔案裡有安全處理，不代表整條資料流都安全。只要另一個分支沒跟上，攻擊者就能從那個缺口進來。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778901047875-n4l9.png\" alt=\"為什麼 AWS 的全倉庫安全掃描比更快的 SAST 更重要\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>這也是全倉庫分析比單點 SAST 更有價值的原因。假設一個大型服務有 200 個以上的路由與數十個 he\u003Ca href=\"\u002Fnews\u002Fsulphur-2-open-source-video-generation-no-censorship-zh\">lp\u003C\u002Fa>er function，pattern-based 工具能很快掃出已知 sink，卻不一定能判斷哪條路徑真的可達、哪個前置驗證被繞過、哪個授權檢查只在某些條件下生效。AWS 的方法是先建立安全模型，再找 bug，方向本身就比「先比對樣式」更接近真實風險。\u003C\u002Fp>\u003Ch2>第二個論點\u003C\u002Fh2>\u003Cp>上下文比 pattern matching \u003Ca href=\"\u002Fnews\u002Fwhy-solanas-developer-surge-matters-more-than-ethereums-lead-zh\">更重要\u003C\u002Fa>。傳統 SAST 擅長抓明確模式，例如硬編碼密鑰、直接 SQL sink、未轉義輸出，這些都很有用。但當問題變成「五個 regex profile 少了一個例外」或「驗證函式存在，但另一個 stored procedure 完全不經過它」，pattern 工具就會失靈，因為它缺的是推理，不是速度。\u003C\u002Fp>\u003Cp>AWS 在公告裡最有說服力的地方，是它沒有停在 EXECUTE IMMEDIATE 這種表面呼叫，而是一路追到驗證函式、列出五個 regex profile、說明單引號對資料庫引擎的影響，最後再指出另一個 procedure 的 bypass。這種結果不是「多抓到幾個告警」而已，而是把原本要靠人工讀完整個系統才看得出的設計缺陷，直接攤在團隊面前。對工程團隊來說，這比掃描速度重要得多。\u003C\u002Fp>\u003Ch2>反方可能怎麼說\u003C\u002Fh2>\u003Cp>最強的反對意見很直接：AI 掃描容易噪音太多、推理過頭、還會給人錯誤的安全感。安全團隊看過太多工具聲稱自己很聰明，最後卻吐出一堆模糊告警，或者把一條看似合理的攻擊路徑講得頭頭是道，實際上部署環境根本打不通。在這個角度看，傳統 SAST 至少更窄、更可預測，也更容易稽核。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778901046535-8u7c.png\" alt=\"為什麼 AWS 的全倉庫安全掃描比更快的 SAST 更重要\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>這個擔憂是真的，而且 AWS 也沒有假裝全倉庫掃描是萬靈丹。它的驗證流程刻意把候選結果再讀一次，分開標示已驗證證據與無法驗證的上下文，還附上 severity 與 confidence。這不是要取代 deterministic 工具，而是把它放在該在的位置。可預測的規則檢查，交給規則工具；跨檔案、跨流程、跨授權邏輯的問題，交給能理解整體倉庫的系統。這樣分工才合理。\u003C\u002Fp>\u003Ch2>你能做什麼\u003C\u002Fh2>\u003Cp>如果你是工程師、PM 或創辦人，不要把 repository-wide scanning 當成最後一道門，而要把它當成上游審查層：在大版本上線前、接手陌生 codebase 時、以及安全審查前先跑一次，專門找跨檔案邏輯錯誤、編碼不一致、授權繞過與信任邊界問題。接著把高風險結果交給人做二次確認，因為真正的目標不是用工具取代判斷，而是把人的判斷用在最值得的地方。\u003C\u002Fp>","AWS Security Agent 的全倉庫掃描，比只追求更快的 pattern-based SAST 更能抓到真正危險的系統性漏洞。","aws.amazon.com","https:\u002F\u002Faws.amazon.com\u002Fblogs\u002Fsecurity\u002Faws-security-agent-full-repository-code-scanning-feature-now-available-in-preview\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778901047875-n4l9.png","tools","zh","133d5c6f-0ca1-4de3-89e8-7b741a61d254",[17,18,19,20,21,22],"AWS Security Agent","repository-wide scanning","SAST","static analysis","application security","security model",[24,25,26],"全倉庫掃描比單點 pattern-based SAST 更能抓到系統性漏洞。","真正危險的 bug 常跨檔案、跨流程、跨信任邊界。","最佳做法是規則工具與全倉庫推理並用，再由人做高風險複核。",5,"2026-05-16T03:10:24.757504+00:00","2026-05-16T03:10:24.663+00:00","c3c88dd2-a940-438a-b359-0e5a24562273",{"tags":32,"relatedLang":43,"relatedPosts":47},[33,35,37,39,41],{"name":21,"slug":34},"application-security",{"name":18,"slug":36},"repository-wide-scanning",{"name":17,"slug":38},"aws-security-agent",{"name":19,"slug":40},"sast",{"name":20,"slug":42},"static-analysis",{"id":15,"slug":44,"title":45,"language":46},"aws-repository-wide-security-scanner-matters-en","Why AWS’s repository-wide security scanner matters more than faster S…","en",[48,54,60,66,72,78],{"id":49,"slug":50,"title":51,"cover_image":52,"image_url":52,"created_at":53,"category":13},"d3ec03a8-a805-4a21-9826-72a74a72b625","databricks-model-serving-llm-deploy-guide-zh","Databricks Model Serving 讓 LLM 部署變簡單","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780525998117-7ur8.png","2026-06-03T22:32:51.005996+00:00",{"id":55,"slug":56,"title":57,"cover_image":58,"image_url":58,"created_at":59,"category":13},"4dd225a8-bf6c-4768-a486-a27956c7033d","opencode-digitalocean-model-freedom-zh","OpenCode+DigitalOcean 讓你切換模型","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780525116428-1q7g.png","2026-06-03T22:18:06.969758+00:00",{"id":61,"slug":62,"title":63,"cover_image":64,"image_url":64,"created_at":65,"category":13},"4bdcf208-fb80-484e-b4b6-06af035a6df1","modulate-aws-voice-chats-into-signals-zh","Modulate 用 AWS 把語音聊天做成訊號","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780519733892-rxue.png","2026-06-03T20:48:22.697917+00:00",{"id":67,"slug":68,"title":69,"cover_image":70,"image_url":70,"created_at":71,"category":13},"f44a28d3-2305-43de-b5fa-21217d561054","amazon-rekognition-content-moderation-filter-zh","Amazon Rekognition把審核變成過濾器","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780517005409-bxfc.png","2026-06-03T20:02:57.634353+00:00",{"id":73,"slug":74,"title":75,"cover_image":76,"image_url":76,"created_at":77,"category":13},"80f6f40b-3217-45e4-acff-7b2f6d261779","codex-workspace-limits-tell-you-why-zh","Codex 讓工作區限額錯誤說人話","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780514293711-ltqa.png","2026-06-03T19:17:41.340056+00:00",{"id":79,"slug":80,"title":81,"cover_image":82,"image_url":82,"created_at":83,"category":13},"daa3d568-4bc5-4f29-aa64-225928ace9b4","book-2-turns-sneaker-drop-into-merch-zh","Book 2 把球鞋發售變成周邊系統","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780513400116-8jeh.png","2026-06-03T19:02:49.03795+00:00",[85,90,95,100,105,110,115,120,125,130],{"id":86,"slug":87,"title":88,"created_at":89},"855cd52f-6fab-46cc-a7c1-42195e8a0de4","surepath-real-time-mcp-policy-controls-zh","SurePath 推出即時 MCP 政策控管","2026-03-26T07:57:40.77233+00:00",{"id":91,"slug":92,"title":93,"created_at":94},"9b19ab54-edef-4dbd-9ce4-a51e4bae4ebb","mcp-in-2026-the-ai-tool-layer-teams-use-zh","2026 年 MCP：團隊真的在用的 AI 工具層","2026-03-26T08:01:46.589694+00:00",{"id":96,"slug":97,"title":98,"created_at":99},"af9c46c3-7a28-410b-9f04-32b3de30a68c","prompting-in-2026-what-actually-works-zh","2026 提示工程，真正有用的是什麼","2026-03-26T08:08:12.453028+00:00",{"id":101,"slug":102,"title":103,"created_at":104},"05553086-6ed0-4758-81fd-6cab24b575e0","garry-tan-open-sources-claude-code-toolkit-zh","Garry Tan 開源 Claude Code 工具包","2026-03-26T08:26:20.068737+00:00",{"id":106,"slug":107,"title":108,"created_at":109},"042a73a2-18a2-433d-9e8f-9802b9559aac","github-ai-projects-to-watch-in-2026-zh","2026 必看 20 個 GitHub AI 專案","2026-03-26T08:28:09.619964+00:00",{"id":111,"slug":112,"title":113,"created_at":114},"a5f94120-ac0d-4483-9a8b-63590071ac6a","claude-code-vs-cursor-2026-zh","Claude Code 與 Cursor 深度對比：202…","2026-03-26T13:27:14.279193+00:00",{"id":116,"slug":117,"title":118,"created_at":119},"0975afa1-e0c7-4130-a20d-d890eaed995e","practical-github-guide-learning-ml-2026-zh","2026 機器學習入門 GitHub 實用指南","2026-03-27T01:16:49.712576+00:00",{"id":121,"slug":122,"title":123,"created_at":124},"bfdb467a-290f-4a80-b3a9-6f081afb6dff","aiml-2026-student-ai-ml-lab-repo-review-zh","AIML-2026：像課綱的學生實驗 Repo","2026-03-27T01:21:51.467798+00:00",{"id":126,"slug":127,"title":128,"created_at":129},"80cabc3e-09fc-4ff5-8f07-b8d68f5ae545","ai-trending-github-repos-and-research-feeds-zh","AI Trending：把 AI 資源收成一張表","2026-03-27T01:31:35.262183+00:00",{"id":131,"slug":132,"title":133,"created_at":134},"3ce6e6e2-bac5-463e-9f8d-45caabcc61f7","awesome-ai-for-science-research-tools-map-zh","AI 科研工具清單，開始像地圖了","2026-03-27T01:46:50.521945+00:00"]