function Invoke-DeviceHealthCheck {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$DeviceName,
        
        [ValidateSet('Basic','Full')]
        [string]$ScanMode = 'Basic'
    )

    $complianceReport = [PSCustomObject]@{
        Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        DeviceName = $DeviceName
        EncryptionStatus = $null
        PatchLevel = $null
        FirewallRules = @()
        ComplianceScore = 0
    }

    try {
        # 验证BitLocker加密状态
        $encryptionStatus = Get-BitLockerVolume -MountPoint C: | 
            Select-Object -ExpandProperty EncryptionPercentage
        $complianceReport.EncryptionStatus = $encryptionStatus -ge 100 ? 'Compliant' : 'Non-Compliant'

        # 检查系统更新状态
        $updates = Get-HotFix | 
            Where-Object InstalledOn -lt (Get-Date).AddDays(-30)
        $complianceReport.PatchLevel = $updates.Count -eq 0 ? 'Current' : 'Outdated'

        # 审计防火墙规则（完整扫描模式）
        if ($ScanMode -eq 'Full') {
            $firewallRules = Get-NetFirewallRule |
                Where-Object Enabled -eq True |
                Select-Object DisplayName, Direction, Action
            $complianceReport.FirewallRules = $firewallRules
        }

        # 计算合规分数
        $score = 0
        if ($complianceReport.EncryptionStatus -eq 'Compliant') { $score += 40 }
        if ($complianceReport.PatchLevel -eq 'Current') { $score += 30 }
        if ($complianceReport.FirewallRules.Count -eq 0) { $score += 30 }
        $complianceReport.ComplianceScore = $score
    }
    catch {
        Write-Error "设备健康检查失败: $_"
    }

    # 生成零信任合规报告
    $complianceReport | Export-Clixml -Path "$env:TEMP/${DeviceName}_ComplianceReport_$(Get-Date -Format yyyyMMdd).xml"
    return $complianceReport
}

function Invoke-DeviceHealthCheck {
    [CmdletBinding()]
    param(
        [ValidateSet('Basic','Full')]
        [string]$ScanLevel = 'Basic'
    )

    $healthReport = [PSCustomObject]@{
        Timestamp     = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        DeviceID      = (Get-CimInstance -ClassName Win32_ComputerSystem).Name
        Compliance    = $true
        SecurityScore = 100
        Findings      = @()
    }

    # 基础检查项
    $checks = @(
        { Get-CimInstance -ClassName Win32_BIOS | Select-Object Version,ReleaseDate },
        { Get-WindowsUpdateLog -Last 7 | Where Status -ne 'Installed' },
        { Get-NetFirewallProfile | Where Enabled -eq $false }
    )

    if ($ScanLevel -eq 'Full') {
        $checks += @(
            { Get-Service -Name WinDefend | Where Status -ne 'Running' },
            { Get-ChildItem 'C:\Temp' -Recurse -File | Where {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} },
            { Get-LocalUser | Where PasswordNeverExpires -eq $true }
        )
    }

    foreach ($check in $checks) {
        try {
            $result = & $check
            if ($result) {
                $healthReport.Findings += [PSCustomObject]@{
                    CheckName = $check.ToString().Split('{')[1].Trim()
                    Status    = 'NonCompliant'
                    Details   = $result | ConvertTo-Json -Compress
                }
                $healthReport.SecurityScore -= 10
                $healthReport.Compliance = $false
            }
        }
        catch {
            Write-Warning "检查项执行失败: $_"
        }
    }

    $healthReport | Export-Clixml -Path "$env:TEMP\DeviceHealthReport_$(Get-Date -Format yyyyMMdd).xml"
    return $healthReport
}

function Invoke-SupplyChainScan {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$ScanPath,
        
        [ValidateSet('Critical','High','Medium','Low')]
        [string]$SeverityLevel = 'Critical'
    )

    $report = [PSCustomObject]@{
        Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        ScannedComponents = @()
        SecurityFindings = @()
    }

    # 组件哈希校验与签名验证
    Get-ChildItem $ScanPath -Recurse -Include *.dll,*.exe,*.psm1 | ForEach-Object {
        $fileHash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
        $signature = Get-AuthenticodeSignature $_.FullName
        
        $component = [PSCustomObject]@{
            FileName = $_.Name
            FilePath = $_.FullName
            SHA256 = $fileHash
            IsSigned = $signature.Status -eq 'Valid'
            Publisher = $signature.SignerCertificate.Subject
        }
        $report.ScannedComponents += $component

        if (-not $component.IsSigned) {
            $report.SecurityFindings += [PSCustomObject]@{
                Severity = 'High'
                Description = "未签名的组件: $($_.Name)"
                Recommendation = "要求供应商提供数字签名版本或验证组件来源"
            }
        }
    }

    # 依赖包漏洞扫描
    $nugetPackages = Get-ChildItem $ScanPath -Recurse -Include packages.config
    $nugetPackages | ForEach-Object {
        [xml]$config = Get-Content $_.FullName
        $config.packages.package | ForEach-Object {
            $cveData = Invoke-RestMethod "https://api.cvecheck.org/v1/search?id=$($_.id)"
            if ($cveData.vulnerabilities | Where-Object { $_.severity -ge $SeverityLevel }) {
                $report.SecurityFindings += [PSCustomObject]@{
                    Severity = $SeverityLevel
                    Description = "存在漏洞的依赖包: $($_.id) v$($_.version)"
                    Recommendation = "升级到最新安全版本 $($cveData.latestVersion)"
                }
            }
        }
    }

    $report | Export-Csv -Path "$ScanPath\SupplyChainReport_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
    return $report
}