Onboarding + make M15 gate catch the plant + M17 override (#6,#17,#18,#19,#29) (#58)
Co-authored-by: claude <claude@jpaul.io> Co-committed-by: claude <claude@jpaul.io>
This commit was merged in pull request #58.
This commit is contained in:
@@ -14,6 +14,13 @@
|
||||
|
||||
set -u # treat unset vars as errors; we manage exit codes explicitly below.
|
||||
|
||||
# A security gate must fail CLOSED. If the interpreter the secret gate needs isn't here, abort with a
|
||||
# non-zero exit rather than sailing past the check and reporting a false "passed".
|
||||
command -v python3 >/dev/null 2>&1 || {
|
||||
echo ">> python3 is required for the secret gate but was not found. Aborting." >&2
|
||||
exit 2
|
||||
}
|
||||
|
||||
status=0
|
||||
|
||||
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
|
||||
@@ -28,16 +35,33 @@ fi
|
||||
|
||||
echo
|
||||
echo "=== Gate 2: secret scan (detect-secrets) ==="
|
||||
# detect-secrets prints a JSON report of any secrets it finds. We treat a non-empty results set as a
|
||||
# failure. `python -c` keeps this portable (no jq dependency).
|
||||
# detect-secrets prints a JSON report of any secrets it finds. NOTE: with no path it scans the files
|
||||
# git TRACKS, so stage the starter files (`git add`) before running this, or an untracked file is
|
||||
# invisible to the gate. We parse the JSON with `python3` (no jq dependency) and fail CLOSED: the
|
||||
# parser returns 0=secrets found, 1=clean, anything else=couldn't tell — and "couldn't tell" must
|
||||
# count as a failure, never a silent pass.
|
||||
report="$(detect-secrets scan)"
|
||||
if printf '%s' "$report" | python -c 'import sys, json; sys.exit(0 if json.load(sys.stdin).get("results") else 1)'; then
|
||||
echo "$report"
|
||||
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
||||
status=1
|
||||
else
|
||||
echo "no secrets detected."
|
||||
fi
|
||||
printf '%s' "$report" | python3 -c 'import sys, json
|
||||
try:
|
||||
found = bool(json.load(sys.stdin).get("results"))
|
||||
except Exception:
|
||||
sys.exit(2)
|
||||
sys.exit(0 if found else 1)'
|
||||
secret_rc=$?
|
||||
case "$secret_rc" in
|
||||
0)
|
||||
echo "$report"
|
||||
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
||||
status=1
|
||||
;;
|
||||
1)
|
||||
echo "no secrets detected."
|
||||
;;
|
||||
*)
|
||||
echo ">> SECRET gate ERROR: could not parse the scan output (exit $secret_rc). Failing closed." >&2
|
||||
status=1
|
||||
;;
|
||||
esac
|
||||
|
||||
echo
|
||||
if [ "$status" -ne 0 ]; then
|
||||
|
||||
Reference in New Issue
Block a user