fix(modules-1,15,17): onboarding step, make M15 gate actually catch the plant, M17 .env override
- M1: add a no-git "Get the course materials" step (download+unzip; clone noted as Module 8) so Part A's paths resolve without assuming git. URL flagged Verify-before-publish (swap to public host before publishing). - M15: security gate was failing OPEN on python3-only systems (bare `python`) and missing the UNTRACKED config.py, so the planted secret passed green. Now guards python3, fails CLOSED on any non-clean exit, and stages files so the planted SYNC_API_KEY + typosquat dep are actually caught. - M15: correct the false "Bandit flags the API key" claim (B105-107 need password-named ids); add an honest MD5 (B324) flaw so the SAST demo fires. Planted secret/deps preserved. - M17: require the .env loader to use setdefault so Part D's override demo works; explain precedence. Hardcoded "before" anti-pattern left intact. Closes #6 Closes #17 Closes #18 Closes #19 Closes #29 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
This commit is contained in:
@@ -14,6 +14,13 @@
|
||||
|
||||
set -u # treat unset vars as errors; we manage exit codes explicitly below.
|
||||
|
||||
# A security gate must fail CLOSED. If the interpreter the secret gate needs isn't here, abort with a
|
||||
# non-zero exit rather than sailing past the check and reporting a false "passed".
|
||||
command -v python3 >/dev/null 2>&1 || {
|
||||
echo ">> python3 is required for the secret gate but was not found. Aborting." >&2
|
||||
exit 2
|
||||
}
|
||||
|
||||
status=0
|
||||
|
||||
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
|
||||
@@ -28,16 +35,33 @@ fi
|
||||
|
||||
echo
|
||||
echo "=== Gate 2: secret scan (detect-secrets) ==="
|
||||
# detect-secrets prints a JSON report of any secrets it finds. We treat a non-empty results set as a
|
||||
# failure. `python -c` keeps this portable (no jq dependency).
|
||||
# detect-secrets prints a JSON report of any secrets it finds. NOTE: with no path it scans the files
|
||||
# git TRACKS, so stage the starter files (`git add`) before running this, or an untracked file is
|
||||
# invisible to the gate. We parse the JSON with `python3` (no jq dependency) and fail CLOSED: the
|
||||
# parser returns 0=secrets found, 1=clean, anything else=couldn't tell — and "couldn't tell" must
|
||||
# count as a failure, never a silent pass.
|
||||
report="$(detect-secrets scan)"
|
||||
if printf '%s' "$report" | python -c 'import sys, json; sys.exit(0 if json.load(sys.stdin).get("results") else 1)'; then
|
||||
echo "$report"
|
||||
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
||||
status=1
|
||||
else
|
||||
echo "no secrets detected."
|
||||
fi
|
||||
printf '%s' "$report" | python3 -c 'import sys, json
|
||||
try:
|
||||
found = bool(json.load(sys.stdin).get("results"))
|
||||
except Exception:
|
||||
sys.exit(2)
|
||||
sys.exit(0 if found else 1)'
|
||||
secret_rc=$?
|
||||
case "$secret_rc" in
|
||||
0)
|
||||
echo "$report"
|
||||
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
||||
status=1
|
||||
;;
|
||||
1)
|
||||
echo "no secrets detected."
|
||||
;;
|
||||
*)
|
||||
echo ">> SECRET gate ERROR: could not parse the scan output (exit $secret_rc). Failing closed." >&2
|
||||
status=1
|
||||
;;
|
||||
esac
|
||||
|
||||
echo
|
||||
if [ "$status" -ne 0 ]; then
|
||||
|
||||
Reference in New Issue
Block a user