docs: make Chinese README the default
CI and Release / lint-backend (push) Has been cancelled
CI and Release / lint-frontend (push) Has been cancelled
CI and Release / dockerfile-scan (push) Has been cancelled
CI and Release / lint-verification-agent (push) Has been cancelled
CI and Release / build-dev-image (push) Has been cancelled
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CI and Release / test-frontend (push) Has been cancelled
CI and Release / test-verification-agent (push) Has been cancelled
CI and Release / e2e-verification-agent (push) Has been cancelled
CI and Release / test-backend (push) Has been cancelled
CI and Release / push-dev-image (push) Has been cancelled
CI and Release / build-image (push) Has been cancelled
CI and Release / build-verification-image (push) Has been cancelled
CI and Release / determine-version (push) Has been cancelled
CI and Release / push-image (push) Has been cancelled
CI and Release / push-verification-image (12) (push) Has been cancelled
CI and Release / push-verification-image (13) (push) Has been cancelled
CI and Release / push-verification-image (14) (push) Has been cancelled
CI and Release / push-verification-image (15) (push) Has been cancelled
CI and Release / push-verification-image (16) (push) Has been cancelled
CI and Release / push-verification-image (17) (push) Has been cancelled
CI and Release / push-verification-image (18) (push) Has been cancelled
CI and Release / release (push) Has been cancelled
CI and Release / publish-helm-chart (push) Has been cancelled
CI and Release / lint-backend (push) Has been cancelled
CI and Release / lint-frontend (push) Has been cancelled
CI and Release / dockerfile-scan (push) Has been cancelled
CI and Release / lint-verification-agent (push) Has been cancelled
CI and Release / build-dev-image (push) Has been cancelled
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CI and Release / test-frontend (push) Has been cancelled
CI and Release / test-verification-agent (push) Has been cancelled
CI and Release / e2e-verification-agent (push) Has been cancelled
CI and Release / test-backend (push) Has been cancelled
CI and Release / push-dev-image (push) Has been cancelled
CI and Release / build-image (push) Has been cancelled
CI and Release / build-verification-image (push) Has been cancelled
CI and Release / determine-version (push) Has been cancelled
CI and Release / push-image (push) Has been cancelled
CI and Release / push-verification-image (12) (push) Has been cancelled
CI and Release / push-verification-image (13) (push) Has been cancelled
CI and Release / push-verification-image (14) (push) Has been cancelled
CI and Release / push-verification-image (15) (push) Has been cancelled
CI and Release / push-verification-image (16) (push) Has been cancelled
CI and Release / push-verification-image (17) (push) Has been cancelled
CI and Release / push-verification-image (18) (push) Has been cancelled
CI and Release / release (push) Has been cancelled
CI and Release / publish-helm-chart (push) Has been cancelled
This commit is contained in:
@@ -1,8 +1,14 @@
|
||||
<!-- WEHUB_ZH_README -->
|
||||
> [!NOTE]
|
||||
> 本文档由 WeHub 基于上游 README 翻译整理,属于社区翻译,非官方中文文档。
|
||||
> [English](./README.en.md) · [原始项目](https://github.com/databasus/databasus) · [上游 README](https://github.com/databasus/databasus/blob/HEAD/README.md)
|
||||
> 原作者、版权与许可证归属以原始项目及本仓库 LICENSE 文件为准。
|
||||
|
||||
<div align="center">
|
||||
<img src="assets/logo.svg" alt="Databasus Logo" width="250"/>
|
||||
|
||||
<h3>PostgreSQL backup tool</h3>
|
||||
<p>Databasus is a free, open source and self-hosted tool to backup PostgreSQL. Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). With a focus on Point-in-Time Recovery at low RPO/RTO</p>
|
||||
<h3>PostgreSQL 备份工具</h3>
|
||||
<p>Databasus 是一款免费、开源且可自托管的 PostgreSQL 备份工具。支持将备份存储到多种存储后端(S3、Google Drive、FTP 等),并通过多种渠道发送进度通知(Slack、Discord、Telegram 等)。专注于低 RPO/RTO 的点时点恢复(Point-in-Time Recovery,PITR)</p>
|
||||
|
||||
<!-- Badges -->
|
||||
[](https://www.postgresql.org/)
|
||||
@@ -17,15 +23,15 @@
|
||||
[](https://github.com/databasus/databasus)
|
||||
|
||||
<p>
|
||||
<a href="#-features">Features</a> •
|
||||
<a href="#-installation">Installation</a> •
|
||||
<a href="#-usage">Usage</a> •
|
||||
<a href="#-license">License</a> •
|
||||
<a href="#-contributing">Contributing</a>
|
||||
<a href="#-features">功能</a> •
|
||||
<a href="#-installation">安装</a> •
|
||||
<a href="#-usage">使用</a> •
|
||||
<a href="#-license">许可证</a> •
|
||||
<a href="#-contributing">贡献</a>
|
||||
</p>
|
||||
|
||||
<p style="margin-top: 20px; margin-bottom: 20px; font-size: 1.2em;">
|
||||
<a href="https://databasus.com" target="_blank"><strong>🌐 Databasus website</strong></a>
|
||||
<a href="https://databasus.com" target="_blank"><strong>🌐 Databasus 官网</strong></a>
|
||||
</p>
|
||||
|
||||
<img src="assets/dashboard-dark.svg" alt="Databasus Dark Dashboard" width="800" style="margin-bottom: 10px;"/>
|
||||
@@ -35,107 +41,107 @@
|
||||
|
||||
---
|
||||
|
||||
## ✨ Features
|
||||
## ✨ 功能
|
||||
|
||||
### 📦 **Backup types**
|
||||
### 📦 **备份类型**
|
||||
|
||||
- **Physical**: file-level copy of the entire database cluster over PostgreSQL native incremental backups mechanism (read more)
|
||||
- **Full**: a complete, self-contained copy of the cluster
|
||||
- **Incremental**: stores only what changed since the previous full backup, so backups stay small and fast
|
||||
- **WAL streaming**: continuously captures the database write stream, enabling Point-in-time recovery (PITR). Designed for disaster recovery and near-zero data loss
|
||||
- **Logical**: native dump of the database in its engine-specific binary format (compressed, suitable for parallel restore)
|
||||
- **物理备份(Physical)**:通过 PostgreSQL 原生增量备份机制对整个数据库集群进行文件级复制(了解更多)
|
||||
- **全量(Full)**:集群的完整、自包含副本
|
||||
- **增量(Incremental)**:仅保存自上次全量备份以来的变更,使备份体积更小、速度更快
|
||||
- **WAL 流式传输(WAL streaming)**:持续捕获数据库写入流,支持点时点恢复(Point-in-time recovery,PITR)。面向灾难恢复与接近零数据丢失场景而设计
|
||||
- **逻辑备份(Logical)**:以引擎专属二进制格式对数据库进行原生转储(已压缩,适合并行恢复)
|
||||
|
||||
### 🔄 **Scheduled backups**
|
||||
### 🔄 **定时备份**
|
||||
|
||||
- **Flexible scheduling**: hourly, daily, weekly, monthly or cron
|
||||
- **Precise timing**: run backups at specific times (e.g., 4 AM during low traffic)
|
||||
- **Smart compression**: 4-8x space savings with balanced compression (~20% overhead)
|
||||
- **灵活调度**:按小时、按天、按周、按月或 cron
|
||||
- **精确时间**:在指定时间执行备份(例如,在低流量时段的凌晨 4 点)
|
||||
- **智能压缩**:在均衡压缩下节省 4-8 倍空间(约 20% 开销)
|
||||
|
||||
### 🧪 **Restore verification** <a href="https://databasus.com/restore-verification">(docs)</a>
|
||||
### 🧪 **恢复验证** <a href="https://databasus.com/restore-verification">(文档)</a>
|
||||
|
||||
Databasus performs a real restore to confirm backups are usable, not just intact on disk or checksum check.
|
||||
Databasus 会执行真实恢复以确认备份可用,而不仅仅检查磁盘完整性或校验和。
|
||||
|
||||
- **Triggers**: after each backup or on a flexible schedule (hourly, daily, weekly, monthly or cron)
|
||||
- **Real restore**: spins up a database container, runs the restore and checks the restored size against the backup
|
||||
- **Report**: lists every table with its row count
|
||||
- **Optional notifications**: send the report or failure-only alerts through any configured notifier
|
||||
- **触发方式**:每次备份后,或按灵活计划(按小时、按天、按周、按月或 cron)
|
||||
- **真实恢复**:启动数据库容器,执行恢复,并将恢复后大小与备份进行比对
|
||||
- **报告**:列出每张表及其行数
|
||||
- **可选通知**:通过任意已配置的通知渠道发送报告,或仅在失败时发送告警
|
||||
|
||||
### 🗑️ **Retention policies**
|
||||
### 🗑️ **保留策略**
|
||||
|
||||
- **Time period**: Keep backups for a fixed duration (e.g., 7 days, 3 months, 1 year)
|
||||
- **Count**: Keep a fixed number of the most recent backups (e.g., last 30)
|
||||
- **GFS (Grandfather-Father-Son)**: Layered retention — keep hourly, daily, weekly, monthly and yearly backups independently for fine-grained long-term history (enterprises requirement)
|
||||
- **Size limits**: Set per-backup and total storage size caps to control storage usage
|
||||
- **时间周期**:在固定时长内保留备份(例如 7 天、3 个月、1 年)
|
||||
- **数量**:保留固定数量的最新备份(例如最近 30 个)
|
||||
- **GFS(Grandfather-Father-Son)**:分层保留——分别独立保留按小时、按天、按周、按月、按年的备份,以实现细粒度的长期历史(企业需求)
|
||||
- **大小限制**:为单次备份和总存储设置上限,以控制存储用量
|
||||
|
||||
### 🗄️ **Multiple storage destinations** <a href="https://databasus.com/storages">(view supported)</a>
|
||||
### 🗄️ **多存储目标** <a href="https://databasus.com/storages">(查看支持列表)</a>
|
||||
|
||||
- **Local storage**: Keep backups on your VPS/server
|
||||
- **Cloud storage**: S3, Cloudflare R2, Google Drive, NAS, Dropbox, SFTP, Rclone and more
|
||||
- **Secure**: All data stays under your control
|
||||
- **本地存储**:将备份保留在你的 VPS/服务器上
|
||||
- **云存储**:S3、Cloudflare R2、Google Drive、NAS、Dropbox、SFTP、Rclone 等
|
||||
- **安全可控**:所有数据始终由你掌控
|
||||
|
||||
### 📱 **Notifications** <a href="https://databasus.com/notifiers">(view supported)</a>
|
||||
### 📱 **通知** <a href="https://databasus.com/notifiers">(查看支持列表)</a>
|
||||
|
||||
- **Multiple channels**: Email, Telegram, Slack, Discord, webhooks
|
||||
- **Real-time updates**: Success and failure notifications
|
||||
- **Team integration**: Perfect for DevOps workflows
|
||||
- **多渠道**:Email、Telegram、Slack、Discord、webhooks
|
||||
- **实时更新**:成功与失败通知
|
||||
- **团队集成**:非常适合 DevOps 工作流
|
||||
|
||||
### 🔒 **Enterprise-grade security** <a href="https://databasus.com/security">(docs)</a>
|
||||
### 🔒 **企业级安全** <a href="https://databasus.com/security">(文档)</a>
|
||||
|
||||
- **AES-256-GCM encryption**: Enterprise-grade protection for backup files
|
||||
- **Zero-trust storage**: Backups are encrypted and remain useless to attackers, so you can safely store them in shared storage like S3, Azure Blob Storage, etc.
|
||||
- **Encryption for secrets**: Any sensitive data is encrypted and never exposed, even in logs or error messages
|
||||
- **Read-only user**: Databasus uses a read-only user by default for backups and never stores anything that can modify your data
|
||||
- **AES-256-GCM 加密**:为备份文件提供企业级保护
|
||||
- **零信任存储(Zero-trust storage)**:备份经过加密,对攻击者毫无价值,因此可安全存放在 S3、Azure Blob Storage 等共享存储中
|
||||
- **敏感信息加密**:任何敏感数据均会加密,绝不会暴露,即使在日志或错误消息中也不例外
|
||||
- **只读用户**:Databasus 默认使用只读用户执行备份,且从不存储任何可修改你数据的内容
|
||||
|
||||
### 👥 **Suitable for teams** <a href="https://databasus.com/access-management">(docs)</a>
|
||||
### 👥 **适合团队使用** <a href="https://databasus.com/access-management">(文档)</a>
|
||||
|
||||
- **Workspaces**: Group databases, notifiers and storages for different projects or teams
|
||||
- **Access management**: Control who can view or manage specific databases with role-based permissions
|
||||
- **Audit logs**: Track all system activities and changes made by users
|
||||
- **User roles**: Assign viewer, member, admin or owner roles within workspaces
|
||||
- **工作区(Workspaces)**:为不同项目或团队分组管理数据库、通知器与存储
|
||||
- **访问管理**:通过基于角色的权限控制谁可查看或管理特定数据库
|
||||
- **审计日志**:跟踪所有系统活动及用户所做的变更
|
||||
- **用户角色**:在工作区内分配查看者(viewer)、成员(member)、管理员(admin)或所有者(owner)角色
|
||||
|
||||
### 🎨 **UX-Friendly**
|
||||
### 🎨 **用户体验友好**
|
||||
|
||||
- **Designer-polished UI**: Clean, intuitive interface crafted with attention to detail
|
||||
- **Dark & light themes**: Choose the look that suits your workflow
|
||||
- **Mobile adaptive**: Check your backups from anywhere on any device
|
||||
- **设计师打磨的 UI**:干净、直观的界面,细节考究
|
||||
- **深色与浅色主题**:选择适合你工作流的外观
|
||||
- **移动端适配**:在任何设备上随时随地查看备份状态
|
||||
|
||||
### 💾 **Supported databases**
|
||||
### 💾 **支持的数据库**
|
||||
|
||||
- **PostgreSQL**: 14, 15, 16, 17 and 18 (physical and logical)
|
||||
- **MySQL**: 5.7 and 8 (logical only)
|
||||
- **MariaDB**: 10, 11 and 12 (logical only)
|
||||
- **MongoDB**: 4.2+, 5, 6, 7 and 8 (logical only)
|
||||
- **PostgreSQL**:14、15、16、17 和 18(物理与逻辑)
|
||||
- **MySQL**:5.7 和 8(仅逻辑)
|
||||
- **MariaDB**:10、11 和 12(仅逻辑)
|
||||
- **MongoDB**:4.2+、5、6、7 和 8(仅逻辑)
|
||||
-
|
||||
### 🐳 **Self-hosted & secure**
|
||||
### 🐳 **自托管且安全**
|
||||
|
||||
- **Docker-based**: Easy deployment and management
|
||||
- **Privacy-first**: All your data stays on your infrastructure
|
||||
- **Open source**: Apache 2.0 licensed, inspect every line of code
|
||||
- **基于 Docker**:易于部署与管理
|
||||
- **隐私优先**:所有数据保留在你的基础设施上
|
||||
- **开源**:Apache 2.0 许可,可逐行审查代码
|
||||
|
||||
### 📦 Installation <a href="https://databasus.com/installation">(docs)</a>
|
||||
### 📦 安装 <a href="https://databasus.com/installation">(文档)</a>
|
||||
|
||||
You have four ways to install Databasus:
|
||||
你有四种方式安装 Databasus:
|
||||
|
||||
- Automated script (recommended)
|
||||
- Simple Docker run
|
||||
- Docker Compose setup
|
||||
- Kubernetes with Helm
|
||||
- 自动化脚本(推荐)
|
||||
- 简单 Docker run
|
||||
- Docker Compose 配置
|
||||
- 使用 Helm 的 Kubernetes
|
||||
|
||||
<img src="assets/healthchecks.svg" alt="Databasus Dashboard" width="800"/>
|
||||
|
||||
---
|
||||
|
||||
## 📦 Installation
|
||||
## 📦 安装
|
||||
|
||||
You have four ways to install Databasus: automated script (recommended), simple Docker run, or Docker Compose setup.
|
||||
你有四种方式安装 Databasus:自动化脚本(推荐)、简单 Docker run,或 Docker Compose 配置。
|
||||
|
||||
### Option 1: Automated installation script (recommended, Linux only)
|
||||
### 选项 1:自动化安装脚本(推荐,仅 Linux)
|
||||
|
||||
The installation script will:
|
||||
安装脚本将:
|
||||
|
||||
- ✅ Install Docker with Docker Compose (if not already installed)
|
||||
- ✅ Set up Databasus
|
||||
- ✅ Configure automatic startup on system reboot
|
||||
- ✅ 安装 Docker 与 Docker Compose(若尚未安装)
|
||||
- ✅ 设置 Databasus
|
||||
- ✅ 配置系统重启后自动启动
|
||||
|
||||
```bash
|
||||
sudo apt-get install -y curl && \
|
||||
@@ -143,9 +149,9 @@ sudo curl -sSL https://raw.githubusercontent.com/databasus/databasus/refs/heads/
|
||||
| sudo bash
|
||||
```
|
||||
|
||||
### Option 2: Simple Docker run
|
||||
### 选项 2:简单 Docker run
|
||||
|
||||
The easiest way to run Databasus:
|
||||
运行 Databasus 的最简单方式:
|
||||
|
||||
```bash
|
||||
docker run -d \
|
||||
@@ -156,15 +162,15 @@ docker run -d \
|
||||
databasus/databasus:latest
|
||||
```
|
||||
|
||||
This single command will:
|
||||
这条命令将:
|
||||
|
||||
- ✅ Start Databasus
|
||||
- ✅ Store all data in `./databasus-data` directory
|
||||
- ✅ Automatically restart on system reboot
|
||||
- ✅ 启动 Databasus
|
||||
- ✅ 将所有数据存储在 `./databasus-data` 目录中
|
||||
- ✅ 在系统重启后自动重启
|
||||
|
||||
### Option 3: Docker Compose setup
|
||||
### 选项 3:Docker Compose 配置
|
||||
|
||||
Create a `docker-compose.yml` file with the following configuration:
|
||||
创建一个 `docker-compose.yml` 文件,内容如下:
|
||||
|
||||
```yaml
|
||||
services:
|
||||
@@ -184,17 +190,17 @@ services:
|
||||
start_period: 60s
|
||||
```
|
||||
|
||||
Then run:
|
||||
然后运行:
|
||||
|
||||
```bash
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
### Option 4: Kubernetes with Helm
|
||||
### 选项 4:使用 Helm 部署 Kubernetes
|
||||
|
||||
For Kubernetes deployments, install directly from the OCI registry.
|
||||
对于 Kubernetes 部署,可直接从 OCI 镜像仓库安装。
|
||||
|
||||
**With ClusterIP + port-forward (development/testing):**
|
||||
**使用 ClusterIP + port-forward(开发/测试):**
|
||||
|
||||
```bash
|
||||
helm install databasus oci://ghcr.io/databasus/charts/databasus \
|
||||
@@ -206,7 +212,7 @@ kubectl port-forward svc/databasus-service 4005:4005 -n databasus
|
||||
# Access at http://localhost:4005
|
||||
```
|
||||
|
||||
**With LoadBalancer (cloud environments):**
|
||||
**使用 LoadBalancer(云环境):**
|
||||
|
||||
```bash
|
||||
helm install databasus oci://ghcr.io/databasus/charts/databasus \
|
||||
@@ -219,7 +225,7 @@ kubectl get svc databasus-service -n databasus
|
||||
# Access at http://<EXTERNAL-IP>:4005
|
||||
```
|
||||
|
||||
**With Ingress (domain-based access):**
|
||||
**使用 Ingress(基于域名的访问):**
|
||||
|
||||
```bash
|
||||
helm install databasus oci://ghcr.io/databasus/charts/databasus \
|
||||
@@ -228,90 +234,90 @@ helm install databasus oci://ghcr.io/databasus/charts/databasus \
|
||||
--set ingress.hosts[0].host=backup.example.com
|
||||
```
|
||||
|
||||
For more options (NodePort, TLS, HTTPRoute for Gateway API), see the [Helm chart README](deploy/helm/README.md).
|
||||
更多选项(NodePort、TLS、Gateway API 的 HTTPRoute),请参阅 [Helm chart README](deploy/helm/README.md)。
|
||||
|
||||
---
|
||||
|
||||
## 🚀 Usage
|
||||
## 🚀 使用方法
|
||||
|
||||
1. **Access the dashboard**: Navigate to `http://localhost:4005`
|
||||
2. **Add your first database for backup**: Click "New Database" and follow the setup wizard
|
||||
3. **Configure schedule**: Choose from hourly, daily, weekly, monthly or cron intervals
|
||||
4. **Set database connection**: Enter your database credentials and connection details
|
||||
5. **Choose storage**: Select where to store your backups (local, S3, Google Drive, etc.)
|
||||
6. **Configure retention policy**: Choose time period, count or GFS to control how long backups are kept
|
||||
7. **Add notifications** (optional): Configure email, Telegram, Slack, or webhook notifications
|
||||
8. **Save and start**: Databasus will validate settings and begin the backup schedule
|
||||
1. **访问控制面板**:前往 `http://localhost:4005`
|
||||
2. **添加第一个待备份数据库**:点击 "New Database" 并按照设置向导操作
|
||||
3. **配置计划**:可选择每小时、每天、每周、每月或 cron 间隔
|
||||
4. **设置数据库连接**:输入数据库凭据和连接信息
|
||||
5. **选择存储**:选择备份存放位置(本地、S3、Google Drive 等)
|
||||
6. **配置保留策略**:选择时间段、数量或 GFS,以控制备份保留时长
|
||||
7. **添加通知**(可选):配置电子邮件、Telegram、Slack 或 webhook 通知
|
||||
8. **保存并启动**:Databasus 将验证设置并开始备份计划
|
||||
|
||||
### 🔑 Resetting password <a href="https://databasus.com/password">(docs)</a>
|
||||
### 🔑 重置密码 <a href="https://databasus.com/password">(文档)</a>
|
||||
|
||||
If you need to reset the password, you can use the built-in password reset command:
|
||||
如需重置密码,可使用内置的密码重置命令:
|
||||
|
||||
```bash
|
||||
docker exec -it databasus ./main --new-password="YourNewSecurePassword123" --email="admin"
|
||||
```
|
||||
|
||||
Replace `admin` with the actual email address of the user whose password you want to reset.
|
||||
将 `admin` 替换为需要重置密码的用户的实际电子邮件地址。
|
||||
|
||||
### 💾 Backuping Databasus itself
|
||||
### 💾 备份 Databasus 自身
|
||||
|
||||
After installation, it is also recommended to <a href="https://databasus.com/faq#backup-databasus">backup your Databasus itself</a> or, at least, to copy secret key used for encryption (30 seconds is needed). So you are able to restore from your encrypted backups if you lose access to the server with Databasus or it is corrupted.
|
||||
安装完成后,也建议 <a href="https://databasus.com/faq#backup-databasus">备份 Databasus 自身</a>,或至少复制用于加密的密钥(约需 30 秒)。这样,若你无法访问运行 Databasus 的服务器或其已损坏,仍可从加密备份中恢复。
|
||||
|
||||
---
|
||||
|
||||
## 🛡️ Security & reliability engineering
|
||||
## 🛡️ 安全与可靠性工程
|
||||
|
||||
Databasus works with sensitive data, so preventing vulnerabilities, unauthorised access and data leaks is a primary concern. We invest in this on both sides of the system: in the code itself (permission checks, encryption, careful handling of secrets) and in the infrastructure around it (dependency analysis, CVE response, DevSecOps best practices). The pipeline below runs automatically on every commit and PR. No single layer is enough on its own, but together they reduce the chance of vulnerable code, unsafe dependencies, broken images, or non-restorable backups reaching a release.
|
||||
Databasus 处理敏感数据,因此防范漏洞、未授权访问和数据泄露是首要关注点。我们在系统两侧都为此投入:代码本身(权限检查、加密、谨慎处理密钥)以及周边基础设施(依赖分析、CVE 响应、DevSecOps 最佳实践)。以下流水线会在每次提交和 PR 时自动运行。任何单一层次都无法独立奏效,但组合起来可降低存在漏洞的代码、不安全的依赖、损坏的镜像或无法恢复的备份进入发布的概率。
|
||||
|
||||
For static analysis we combine several independent passes. CodeQL scans the full codebase for security issues. CodeRabbit reviews every PR and runs gitleaks for secret scanning and semgrep for security rules inline. Dockerfiles and CI workflows get extra rules of their own (pinned action references, least-privilege permissions, suspicious base images), so insecure patterns are flagged before they ever merge. On top of these per-PR checks, Codex Security from OpenAI runs regular, deeper audits of the whole codebase. It's a separate program that catches architectural and cross-cutting issues narrow PR-time scans can miss.
|
||||
静态分析方面,我们结合多种独立检查。CodeQL 扫描整个代码库以发现安全问题。CodeRabbit 审查每个 PR,并运行 gitleaks 进行密钥扫描、semgrep 进行内联安全规则检查。Dockerfile 和 CI 工作流另有专属规则(固定 action 引用、最小权限、可疑基础镜像),因此不安全模式在合并前就会被标记。在这些按 PR 检查之上,OpenAI 的 Codex Security 会定期对整个代码库进行更深入的审计。这是一项独立计划,可发现狭窄的 PR 期扫描可能遗漏的架构性与横切问题。
|
||||
|
||||
On the dependency side, Dependabot watches all of our dependencies against the GitHub Advisory Database and surfaces CVEs within minutes of publication. Updates run through a cooldown so newly-published versions get a chance to mature before we adopt them. This is a deliberate defence against compromised-package incidents like supply-chain attack. The Dependency Review Action blocks any PR that introduces a new HIGH or CRITICAL CVE outright.
|
||||
依赖方面,Dependabot 对照 GitHub Advisory Database 监控我们所有依赖,并在 CVE 发布后数分钟内即予以披露。更新会经过冷却期,使新发布版本有机会成熟后再被采用。这是针对供应链攻击等受污染软件包事件的刻意防护。Dependency Review Action 会直接阻止引入新的 HIGH 或 CRITICAL 级 CVE 的任何 PR。
|
||||
|
||||
Container images are scanned with Trivy on every build. A separate Trivy pass on the Dockerfile catches misconfigurations before they make it into an image. All GitHub Actions are pinned to full commit SHAs rather than floating tags like `@v4` or `@main`, which have been an active attack vector in 2025. Workflows default to least-privilege permissions and only elevate per-job when genuinely needed.
|
||||
每次构建都会用 Trivy 扫描容器镜像。对 Dockerfile 的单独 Trivy 检查可在错误配置进入镜像前发现它们。所有 GitHub Actions 均固定到完整 commit SHA,而非 `@v4` 或 `@main` 这类浮动标签——它们在 2025 年曾是活跃的攻击向量。工作流默认采用最小权限,仅在实际需要时才按作业提升权限。
|
||||
|
||||
Critical paths are covered by both unit and integration tests, run against real database containers for every supported engine and major version. Restore is the path that matters most for a backup tool, so we test it explicitly: every PR runs full backup-then-restore cycles against those same real containers, verifying that backups can actually be restored end-to-end, not just written successfully. The rest of the CI/CD pipeline runs lint, type-check, the full test suite, image smoke tests and multi-architecture builds on every PR. A release only ships if all of it passes.
|
||||
关键路径由单元测试和集成测试共同覆盖,针对每个受支持引擎及主要版本在真实数据库容器中运行。对备份工具而言,恢复路径最为关键,因此我们明确测试它:每个 PR 都会对这些真实容器运行完整的备份—恢复周期,验证备份能够端到端恢复,而不仅是成功写入。CI/CD 流水线的其余部分在每次 PR 时运行 lint、类型检查、完整测试套件、镜像冒烟测试和多架构构建。仅当全部通过才会发布版本。
|
||||
|
||||
Found a vulnerability? Report it via the GitHub Security tab. See [SECURITY.md](https://github.com/databasus/databasus?tab=security-ov-file#readme). Security reports are the highest-priority work queue. For runtime application security (AES-256-GCM at rest, zero-trust storage, encrypted secrets, read-only DB user by default) see [Enterprise-grade security](#-enterprise-grade-security) in the Features section above.
|
||||
发现漏洞?请通过 GitHub Security 选项卡报告。请参阅 [SECURITY.md](https://github.com/databasus/databasus?tab=security-ov-file#readme). 安全报告是最高优先级的工作队列。有关运行时应用安全(静态数据 AES-256-GCM、零信任存储、加密密钥、默认只读数据库用户),请参见上文 Features 部分的 [Enterprise-grade security](#-enterprise-grade-security)。
|
||||
|
||||
---
|
||||
|
||||
## 📝 License
|
||||
## 📝 许可证
|
||||
|
||||
This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details
|
||||
本项目采用 Apache 2.0 License 许可——详见 [LICENSE](LICENSE) 文件。
|
||||
|
||||
## 🤝 Contributing
|
||||
## 🤝 贡献
|
||||
|
||||
Contributions are welcome! Read the <a href="https://databasus.com/contribute">contributing guide</a> for more details, priorities and rules. If you want to contribute but don't know where to start, message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)
|
||||
欢迎贡献!请阅读 <a href="https://databasus.com/contribute">contributing guide</a> 了解更多细节、优先级和规则。如果你想贡献但不知从何入手,可在 Telegram 上联系我 [@rostislav_dugin](https://t.me/rostislav_dugin)
|
||||
|
||||
Also you can join our large community of developers, DBAs and DevOps engineers on Telegram [@databasus_community](https://t.me/databasus_community).
|
||||
你也可以在 Telegram 上加入由开发者、DBA 和 DevOps 工程师组成的大型社区 [@databasus_community](https://t.me/databasus_community).
|
||||
|
||||
## AI disclaimer
|
||||
## AI 免责声明
|
||||
|
||||
There have been questions about AI usage in project development in issues and discussions. As the project focuses on security, reliability and production usage, it's important to explain how AI is used in the development process.
|
||||
在 issues 和 discussions 中,有人就项目开发中的 AI 使用提出问题。由于本项目聚焦安全、可靠性与生产使用,说明 AI 在开发流程中的用法十分重要。
|
||||
|
||||
First of all, we are proud to say that Databasus has been accepted into both [Claude for Open Source](https://claude.com/contact-sales/claude-for-oss) by Anthropic and [Codex for Open Source](https://developers.openai.com/codex/community/codex-for-oss/) by OpenAI in March 2026. For us it is one more signal that the project was recognized as important open-source software and was as critical infrastructure worth supporting independently by two of the world's leading AI companies. Read more at [databasus.com/faq](https://databasus.com/faq#oss-programs).
|
||||
首先,我们自豪地宣布,Databasus 已于 2026 年 3 月同时入选 Anthropic 的 [Claude for Open Source](https://claude.com/contact-sales/claude-for-oss) 与 OpenAI 的 [Codex for Open Source](https://developers.openai.com/codex/community/codex-for-oss/)。对我们来说,这再次表明该项目被认可为重要的开源软件,且作为关键基础设施,值得两家全球领先 AI 公司独立支持。更多信息请见 [databasus.com/faq](https://databasus.com/faq#oss-programs).
|
||||
|
||||
Despite of this, we have the following rules how AI is used in the development process:
|
||||
尽管如此,我们对开发流程中 AI 的使用遵循以下规则:
|
||||
|
||||
AI is used as a helper for:
|
||||
AI 用作以下方面的辅助:
|
||||
|
||||
- verification of code quality and searching for vulnerabilities
|
||||
- cleaning up and improving documentation, comments and code
|
||||
- assistance during development
|
||||
- double-checking PRs and commits after human review
|
||||
- additional security analysis of PRs via Codex Security
|
||||
- 代码质量验证与漏洞查找
|
||||
- 清理和改进文档、注释与代码
|
||||
- 开发过程中的协助
|
||||
- 人工审查后对 PR 和提交进行二次核对
|
||||
- 通过 Codex Security 对 PR 进行额外安全分析
|
||||
|
||||
AI is not used for:
|
||||
AI 不用于:
|
||||
|
||||
- writing entire code
|
||||
- "vibe code" approach
|
||||
- code without line-by-line verification by a human
|
||||
- code without tests
|
||||
- 编写完整代码
|
||||
- 「vibe code」式开发
|
||||
- 未经人工逐行验证的代码
|
||||
- 没有测试的代码
|
||||
|
||||
So AI is just an assistant and a tool for developers to increase productivity and ensure code quality. The work is done by developers.
|
||||
因此,AI 只是帮助开发者提高生产力并确保代码质量的助手和工具。实际工作由开发者完成。
|
||||
|
||||
Moreover, it's important to note that we do not differentiate between bad human code and AI vibe code. There are strict requirements for any code to be merged to keep the codebase maintainable.
|
||||
此外,重要的是我们并不区分劣质人工代码与 AI vibe code。任何要合并的代码都有严格要求,以保持代码库可维护。
|
||||
|
||||
Even if code is written manually by a human, it's not guaranteed to be merged. Vibe code is not allowed at all and all such PRs are rejected by default (see [contributing guide](https://databasus.com/contribute)).
|
||||
即使代码由人工手动编写,也不保证会被合并。完全不允许 vibe code,此类 PR 默认一律拒绝(参见 [contributing guide](https://databasus.com/contribute)).
|
||||
|
||||
The engineering safeguards behind these rules (CI, static analysis, dependency scanning, test coverage and vulnerability response) are documented in [Security & reliability engineering](#️-security--reliability-engineering) above.
|
||||
这些规则背后的工程保障措施(CI、静态分析、依赖扫描、测试覆盖率与漏洞响应)详见上文 [安全与可靠性工程](#️-security--reliability-engineering)。
|
||||
|
||||
Reference in New Issue
Block a user