机密扫描与泄露阻断治理（pre-commit-正则-熵）最佳实践

实现示例type File = { path: string; content: string } const regexes = [ /AKIA[0-9A-Z]{16}/, // AWS Access Key /ghp_[A-Za-z0-9]{36}/, // GitHub Token /AIza[0-9A-Za-z\-_]{35}/, // Google API Key ] function entropy(s: string): number { const freq: Record<string, number> = {} for (const ch of s) freq[ch] = (freq[ch] || 0) + 1 let H = 0 const n = s.length for (const k of Object.keys(freq)) { const p = freq[k] / n; H += -p * Math.log2(p) } return H } function suspicious(s: string, threshold = 4.0): boolean { if (regexes.some(r => r.test(s))) return true return entropy(s) >= threshold && /[A-Za-z0-9+/=]{24,}/.test(s) } function scan(files: File[]): { hits: { path: string; snippet: string }[] } { const hits: { path: string; snippet: string }[] = [] for (const f of files) { const lines = f.content.split(/\r?\n/) for (const ln of lines) if (suspicious(ln)) { hits.push({ path: f.path, snippet: ln.slice(0, 200) }); break } } return { hits } } 审计与运行治理提交前阻断命中项并输出修复建议；允许受控例外并设到期。审计记录包含文件路径与片段摘要；禁止将机密写入日志。