Fix Module 15 Bandit stretch's false claim that it flags the hardcoded API key #19
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The Gate-3 stretch claims
banditwill flag "the very hardcoded secret from Part C." Bandit's hardcoded-password checks (B105-107) only fire on password-word-list identifiers (password,secret,token, …). The lab variable isSYNC_API_KEY, which matches none, sobandit -r .reports "No issues identified." Compounding it, the stretch runs after Part C where the secret was already removed.Evidence
modules/15-security-scanning/README.mdPart C stretch (~lines 289-292): "pip install bandit, thenbandit -r .… including, often, the very hardcoded secret from Part C."modules/15-security-scanning/lab/config.pyusesSYNC_API_KEY. Tested:bandit -r config.py→ "No issues identified."Why it matters
A verifiable false claim about tool behavior in the very module about scanner limits, and it conflates SAST with secret-scanning — breaking the honesty-about-limits promise and the module's own SCA/secret/SAST taxonomy.
Proposed change
Pick one:
subprocess(..., shell=True)or string-concatenated SQL) so bandit actually fires and the stretch demonstrates SAST; ORSYNC_API_KEY— that's detect-secrets' job"; ORAcceptance criteria
SYNC_API_KEYunless bandit actually does.Affected files
modules/15-security-scanning/README.md(andmodules/15-security-scanning/lab/config.pyif option 1)References
Source finding F30 (realVotes 3/3).
Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.