Fix Module 15 security gate failing OPEN on python3-only systems (bare python)
#17
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
security-scan.shpipes detect-secrets JSON intopython -cto decide pass/fail. On systems with onlypython3(fresh Ubuntu, modern macOS),pythonis not found,python -cexits 127, theiftakes the else branch, prints "no secrets detected.", and leaves status 0 — so a real hardcoded secret slips the gate silently. The comment even calls this line "portable." A security gate that fails OPEN is worse than no gate.Evidence
modules/15-security-scanning/lab/security-scan.sh(~lines 32-39):Script uses
set -uonly (noset -e/pipefail). Reproduced: python3-only PATH with a real secret → "SECURITY GATE: passed", exit 0.Why it matters
This is the central worked example of the security module, and the bug defeats the gate on common modern platforms — directly against the module's purpose and the honesty promise.
Proposed change
python3instead of barepython(idiomatic for this Unix bash script; detect-secrets is itself Python-installed).command -v python3 >/dev/null 2>&1 || { echo "python3 required"; exit 2; }so a missing interpreter aborts rather than passing.Acceptance criteria
Affected files
modules/15-security-scanning/lab/security-scan.shReferences
Source finding F28 (realVotes 3/3). Related: bare-
pythonportability is also flagged in F11.Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.