弱點掃描 on Eric 個人部落格

弱點掃描 on Eric 個人部落格https://chihhung.github.io/Blog/tags/%E5%BC%B1%E9%BB%9E%E6%8E%83%E6%8F%8F/Recent content in 弱點掃描 on Eric 個人部落格Hugo -- 0.151.0zh-TWMon, 18 May 2026 00:00:00 +0000安全測試與弱點掃描報告範本（Security Scan Report Template）https://chihhung.github.io/Blog/posts/%E6%95%99%E5%AD%B8/templates/testing/securityscanreport_template/Mon, 18 May 2026 00:00:00 +0000https://chihhung.github.io/Blog/posts/%E6%95%99%E5%AD%B8/templates/testing/securityscanreport_template/<h1 id="安全測試與弱點掃描報告範本security-scan-report-template">安全測試與弱點掃描報告範本（Security Scan Report Template）</h1> <blockquote> <p><strong>適用標準</strong>：OWASP Testing Guide v4.2、CVSS 3.1（Common Vulnerability Scoring System）、CWE<br> <strong>適用階段</strong>：測試驗證階段（Testing Phase）<br> <strong>負責角色</strong>：AppSec 工程師、資安測試人員、QA Lead</p></blockquote> <hr> <h2 id="-章節目錄">📑 章節目錄</h2> <ol> <li><a href="#1-%E6%96%87%E4%BB%B6%E8%B3%87%E8%A8%8A">文件資訊</a></li> <li><a href="#2-%E6%B8%AC%E8%A9%A6%E6%91%98%E8%A6%81">測試摘要</a></li> <li><a href="#3-%E6%B8%AC%E8%A9%A6%E7%AF%84%E5%9C%8D%E8%88%87%E6%96%B9%E6%B3%95">測試範圍與方法</a></li> <li><a href="#4-%E5%BC%B1%E9%BB%9E%E7%B8%BD%E8%A6%BD">弱點總覽</a></li> <li><a href="#5-%E5%BC%B1%E9%BB%9E%E8%A9%B3%E7%B4%B0%E5%A0%B1%E5%91%8A">弱點詳細報告</a></li> <li><a href="#6-%E5%90%88%E8%A6%8F%E6%AA%A2%E6%A0%B8%E7%B5%90%E6%9E%9C">合規檢核結果</a></li> <li><a href="#7-%E4%BF%AE%E5%BE%A9%E8%A8%88%E7%95%AB">修復計畫</a></li> <li><a href="#8-%E7%B5%90%E8%AB%96%E8%88%87%E5%BB%BA%E8%AD%B0">結論與建議</a></li> <li><a href="#9-%E9%99%84%E9%8C%84">附錄</a></li> </ol> <hr> <h2 id="-範本">📝 範本</h2> <hr> <h3 id="1-文件資訊">1. 文件資訊</h3> <table> <thead> <tr> <th>項目</th> <th>內容</th> </tr> </thead> <tbody> <tr> <td><strong>文件名稱</strong></td> <td>[系統名稱] 安全測試報告</td> </tr> <tr> <td><strong>文件編號</strong></td> <td>[專案代碼]-STR-[版本號]-[日期]</td> </tr> <tr> <td><strong>版本</strong></td> <td>v[X.Y]</td> </tr> <tr> <td><strong>測試日期</strong></td> <td>[YYYY-MM-DD] ~ [YYYY-MM-DD]</td> </tr> <tr> <td><strong>測試人員</strong></td> <td>[AppSec 團隊 / 外部廠商]</td> </tr> <tr> <td><strong>審核者</strong></td> <td>[CISO / 資安主管]</td> </tr> <tr> <td><strong>資料分級</strong></td> <td>Confidential</td> </tr> </tbody> </table> <hr> <h3 id="2-測試摘要">2. 測試摘要</h3> <table> <thead> <tr> <th>項目</th> <th>內容</th> </tr> </thead> <tbody> <tr> <td>測試類型</td> <td>[SAST / DAST / SCA / Penetration Test / 組合]</td> </tr> <tr> <td>受測版本</td> <td>[Application version / Commit hash]</td> </tr> <tr> <td>測試結果總評</td> <td>[✅ PASS / ⚠️ CONDITIONAL PASS / ❌ FAIL]</td> </tr> <tr> <td>上線決策</td> <td>[可上線 / 修復後可上線 / 不可上線]</td> </tr> </tbody> </table> <h4 id="弱點統計">弱點統計</h4> <table> <thead> <tr> <th>嚴重度</th> <th>數量</th> <th>已修復</th> <th>待修復</th> <th>接受風險</th> </tr> </thead> <tbody> <tr> <td>Critical</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> </tr> <tr> <td>High</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> </tr> <tr> <td>Medium</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> </tr> <tr> <td>Low</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> <td>[N]</td> </tr> <tr> <td>Info</td> <td>[N]</td> <td>—</td> <td>—</td> <td>—</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>[N]</strong></td> <td><strong>[N]</strong></td> <td><strong>[N]</strong></td> <td><strong>[N]</strong></td> </tr> </tbody> </table> <hr> <h3 id="3-測試範圍與方法">3. 測試範圍與方法</h3> <h4 id="31-測試範圍">3.1 測試範圍</h4> <table> <thead> <tr> <th>項目</th> <th>內容</th> </tr> </thead> <tbody> <tr> <td>目標系統</td> <td>[系統名稱 + URL/IP]</td> </tr> <tr> <td>測試範圍</td> <td>[In-scope modules / endpoints]</td> </tr> <tr> <td>排除範圍</td> <td>[Out-of-scope，如第三方元件]</td> </tr> <tr> <td>認證帳號</td> <td>[測試用帳號角色清單（不含密碼）]</td> </tr> </tbody> </table> <h4 id="32-測試方法">3.2 測試方法</h4> <table> <thead> <tr> <th>測試類型</th> <th>工具</th> <th>版本</th> <th>說明</th> </tr> </thead> <tbody> <tr> <td>SAST（靜態分析）</td> <td>[SonarQube / Checkmarx / Semgrep]</td> <td>[ver]</td> <td>原始碼分析</td> </tr> <tr> <td>DAST（動態分析）</td> <td>[OWASP ZAP / Burp Suite Pro]</td> <td>[ver]</td> <td>執行期掃描</td> </tr> <tr> <td>SCA（套件分析）</td> <td>[Snyk / OWASP Dependency-Check / Trivy]</td> <td>[ver]</td> <td>第三方套件弱點</td> </tr> <tr> <td>手動測試</td> <td>[Burp Suite / Custom scripts]</td> <td>—</td> <td>邏輯弱點</td> </tr> <tr> <td>Container Scan</td> <td>[Trivy / Aqua]</td> <td>[ver]</td> <td>容器映像掃描</td> </tr> </tbody> </table> <h4 id="33-測試依據">3.3 測試依據</h4> <table> <thead> <tr> <th>標準/指南</th> <th>涵蓋項目</th> </tr> </thead> <tbody> <tr> <td>OWASP Top 10 (2021)</td> <td>A01~A10</td> </tr> <tr> <td>OWASP API Security Top 10 (2023)</td> <td>全部</td> </tr> <tr> <td>OWASP ASVS v4.0.3</td> <td>[Level 1 / Level 2 / Level 3]</td> </tr> <tr> <td>CWE Top 25 (2023)</td> <td>常見弱點</td> </tr> </tbody> </table> <hr> <h3 id="4-弱點總覽">4. 弱點總覽</h3> <h4 id="41-依嚴重度分佈">4.1 依嚴重度分佈</h4> <table> <thead> <tr> <th>嚴重度</th> <th>CVSS 分數範圍</th> <th>修復 SLA</th> <th>數量</th> </tr> </thead> <tbody> <tr> <td>Critical</td> <td>9.0 – 10.0</td> <td>24 小時</td> <td>[N]</td> </tr> <tr> <td>High</td> <td>7.0 – 8.9</td> <td>7 天</td> <td>[N]</td> </tr> <tr> <td>Medium</td> <td>4.0 – 6.9</td> <td>30 天</td> <td>[N]</td> </tr> <tr> <td>Low</td> <td>0.1 – 3.9</td> <td>90 天</td> <td>[N]</td> </tr> <tr> <td>Info</td> <td>0.0</td> <td>視需要</td> <td>[N]</td> </tr> </tbody> </table> <h4 id="42-依類型分佈">4.2 依類型分佈</h4> <table> <thead> <tr> <th>弱點類型（CWE）</th> <th>數量</th> <th>嚴重度分佈</th> </tr> </thead> <tbody> <tr> <td>[CWE-XXX: 弱點名稱]</td> <td>[N]</td> <td>[C:N / H:N / M:N / L:N]</td> </tr> <tr> <td>[CWE-XXX: 弱點名稱]</td> <td>[N]</td> <td>[C:N / H:N / M:N / L:N]</td> </tr> </tbody> </table> <h4 id="43-依-owasp-top-10-分佈">4.3 依 OWASP Top 10 分佈</h4> <table> <thead> <tr> <th>OWASP Category</th> <th>弱點數量</th> <th>最高嚴重度</th> </tr> </thead> <tbody> <tr> <td>A01: Broken Access Control</td> <td>[N]</td> <td>[Critical/High/…]</td> </tr> <tr> <td>A02: Cryptographic Failures</td> <td>[N]</td> <td></td> </tr> <tr> <td>A03: Injection</td> <td>[N]</td> <td></td> </tr> <tr> <td>A04: Insecure Design</td> <td>[N]</td> <td></td> </tr> <tr> <td>A05: Security Misconfiguration</td> <td>[N]</td> <td></td> </tr> <tr> <td>A06: Vulnerable Components</td> <td>[N]</td> <td></td> </tr> <tr> <td>A07: Auth Failures</td> <td>[N]</td> <td></td> </tr> <tr> <td>A08: Software & Data Integrity</td> <td>[N]</td> <td></td> </tr> <tr> <td>A09: Logging & Monitoring Failures</td> <td>[N]</td> <td></td> </tr> <tr> <td>A10: SSRF</td> <td>[N]</td> <td></td> </tr> </tbody> </table> <hr> <h3 id="5-弱點詳細報告">5. 弱點詳細報告</h3> <h4 id="vuln-nnn-弱點標題">VULN-[NNN]: [弱點標題]</h4> <table> <thead> <tr> <th>項目</th> <th>內容</th> </tr> </thead> <tbody> <tr> <td><strong>弱點 ID</strong></td> <td>VULN-[NNN]</td> </tr> <tr> <td><strong>嚴重度</strong></td> <td>[Critical / High / Medium / Low]</td> </tr> <tr> <td><strong>CVSS 分數</strong></td> <td>[N.N]</td> </tr> <tr> <td><strong>CVSS Vector</strong></td> <td>[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]</td> </tr> <tr> <td><strong>CWE</strong></td> <td>CWE-[NNN]: [名稱]</td> </tr> <tr> <td><strong>OWASP</strong></td> <td>[A01 / A02 / …]</td> </tr> <tr> <td><strong>發現工具</strong></td> <td>[SAST / DAST / Manual]</td> </tr> <tr> <td><strong>受影響元件</strong></td> <td>[模組/檔案/API endpoint]</td> </tr> <tr> <td><strong>狀態</strong></td> <td>[Open / Fixed / Accepted / False Positive]</td> </tr> </tbody> </table> <p><strong>描述：</strong></p>