feat(course): build out all 27 modules, capstone, scaffold, and conventions
Scaffold the course repo and author the full curriculum in dependency-chain order, following the settled build decisions in handoff.md. - Scaffold: course README, vendor-neutral AGENTS.md (dogfoods Module 5), _TEMPLATE.md (the fixed 9-section module shape), root .gitignore, ship config. - Modules 1-2: reference exemplars (locked for tone/depth/lab style). - Modules 3-27: full lessons + runnable labs, each following the template, respecting the chain, vendor/model-agnostic, with "feel the pain" labs. - Module 8 hosting comparison web-researched and date-stamped (as of 2026-06-22), not written from memory; expansion-zone modules carry Verify-before-publish. - Capstone: the full loop end to end on the running tasks-app example. Lab code syntax-checked (Python/shell/YAML); every module has the 7 core template sections. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# security-scan.sh — the security gate for tasks-app (Module 15).
|
||||
#
|
||||
# Runs two scanners and exits non-zero if EITHER finds something. That non-zero exit is what turns
|
||||
# a CI run red (Module 14). One script, two homes: run it by hand for fast local feedback, and call
|
||||
# it from the pipeline so the same definition of "a finding" enforces the merge.
|
||||
#
|
||||
# These two tools (pip-audit, detect-secrets) are concrete examples of their categories — SCA and
|
||||
# secret scanning. Swap in any equivalent; keep the contract the same: scan, print, fail on findings.
|
||||
#
|
||||
# Usage: ./security-scan.sh
|
||||
# Install: pip install pip-audit detect-secrets
|
||||
|
||||
set -u # treat unset vars as errors; we manage exit codes explicitly below.
|
||||
|
||||
status=0
|
||||
|
||||
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
|
||||
if [ -f requirements.txt ]; then
|
||||
if ! pip-audit -r requirements.txt; then
|
||||
echo ">> SCA gate FAILED: unresolvable or vulnerable dependency. See above." >&2
|
||||
status=1
|
||||
fi
|
||||
else
|
||||
echo "(no requirements.txt found — skipping SCA)"
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "=== Gate 2: secret scan (detect-secrets) ==="
|
||||
# detect-secrets prints a JSON report of any secrets it finds. We treat a non-empty results set as a
|
||||
# failure. `python -c` keeps this portable (no jq dependency).
|
||||
report="$(detect-secrets scan)"
|
||||
if printf '%s' "$report" | python -c 'import sys, json; sys.exit(0 if json.load(sys.stdin).get("results") else 1)'; then
|
||||
echo "$report"
|
||||
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
||||
status=1
|
||||
else
|
||||
echo "no secrets detected."
|
||||
fi
|
||||
|
||||
echo
|
||||
if [ "$status" -ne 0 ]; then
|
||||
echo "SECURITY GATE: FAILED" >&2
|
||||
else
|
||||
echo "SECURITY GATE: passed"
|
||||
fi
|
||||
exit "$status"
|
||||
Reference in New Issue
Block a user