Files
ai-workflow-course/modules/15-security-scanning/lab/security-scan.sh
T
claude 3bab54d135 fix(modules-1,15,17): onboarding step, make M15 gate actually catch the plant, M17 .env override
- M1: add a no-git "Get the course materials" step (download+unzip; clone noted
  as Module 8) so Part A's paths resolve without assuming git. URL flagged
  Verify-before-publish (swap to public host before publishing).
- M15: security gate was failing OPEN on python3-only systems (bare `python`)
  and missing the UNTRACKED config.py, so the planted secret passed green. Now
  guards python3, fails CLOSED on any non-clean exit, and stages files so the
  planted SYNC_API_KEY + typosquat dep are actually caught.
- M15: correct the false "Bandit flags the API key" claim (B105-107 need
  password-named ids); add an honest MD5 (B324) flaw so the SAST demo fires.
  Planted secret/deps preserved.
- M17: require the .env loader to use setdefault so Part D's override demo works;
  explain precedence. Hardcoded "before" anti-pattern left intact.

Closes #6
Closes #17
Closes #18
Closes #19
Closes #29

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 15:48:27 -04:00

73 lines
2.5 KiB
Bash

#!/usr/bin/env bash
#
# security-scan.sh — the security gate for tasks-app (Module 15).
#
# Runs two scanners and exits non-zero if EITHER finds something. That non-zero exit is what turns
# a CI run red (Module 14). One script, two homes: run it by hand for fast local feedback, and call
# it from the pipeline so the same definition of "a finding" enforces the merge.
#
# These two tools (pip-audit, detect-secrets) are concrete examples of their categories — SCA and
# secret scanning. Swap in any equivalent; keep the contract the same: scan, print, fail on findings.
#
# Usage: ./security-scan.sh
# Install: pip install pip-audit detect-secrets
set -u # treat unset vars as errors; we manage exit codes explicitly below.
# A security gate must fail CLOSED. If the interpreter the secret gate needs isn't here, abort with a
# non-zero exit rather than sailing past the check and reporting a false "passed".
command -v python3 >/dev/null 2>&1 || {
echo ">> python3 is required for the secret gate but was not found. Aborting." >&2
exit 2
}
status=0
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
if [ -f requirements.txt ]; then
if ! pip-audit -r requirements.txt; then
echo ">> SCA gate FAILED: unresolvable or vulnerable dependency. See above." >&2
status=1
fi
else
echo "(no requirements.txt found — skipping SCA)"
fi
echo
echo "=== Gate 2: secret scan (detect-secrets) ==="
# detect-secrets prints a JSON report of any secrets it finds. NOTE: with no path it scans the files
# git TRACKS, so stage the starter files (`git add`) before running this, or an untracked file is
# invisible to the gate. We parse the JSON with `python3` (no jq dependency) and fail CLOSED: the
# parser returns 0=secrets found, 1=clean, anything else=couldn't tell — and "couldn't tell" must
# count as a failure, never a silent pass.
report="$(detect-secrets scan)"
printf '%s' "$report" | python3 -c 'import sys, json
try:
found = bool(json.load(sys.stdin).get("results"))
except Exception:
sys.exit(2)
sys.exit(0 if found else 1)'
secret_rc=$?
case "$secret_rc" in
0)
echo "$report"
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
status=1
;;
1)
echo "no secrets detected."
;;
*)
echo ">> SECRET gate ERROR: could not parse the scan output (exit $secret_rc). Failing closed." >&2
status=1
;;
esac
echo
if [ "$status" -ne 0 ]; then
echo "SECURITY GATE: FAILED" >&2
else
echo "SECURITY GATE: passed"
fi
exit "$status"