Files
ai-workflow-course/modules/15-security-scanning/lab/config.py
T
claude 2684095e2f Build out all 27 modules + capstone (#1)
Co-authored-by: claude <claude@jpaul.io>
Co-committed-by: claude <claude@jpaul.io>
2026-06-22 12:19:01 -04:00

29 lines
1.4 KiB
Python

"""Cloud-sync config for tasks-app — a realistic snapshot of what an AI hands you.
Asked to "sync tasks to a cloud service," a model will cheerfully produce something like this: it
works, it reads naturally, it passes lint and tests... and it has a live credential baked straight
into the source. That is the *exact* failure mode Module 15's secret-scanning gate exists to catch.
DO NOT copy this pattern. The point of this file is to be caught by a scanner, not imitated.
The fix (read from the environment) is shown at the bottom, commented out, so you can see the
difference once Part C of the lab is done.
"""
# --- The problem the scanner should flag -------------------------------------------------------
# A hardcoded API key. Looks like a normal string literal; lint and tests will never complain.
SYNC_API_KEY = "sk_live_9c3f2a7b41d84e0fa6b2c5d8e1f09a73bdac46"
SYNC_ENDPOINT = "https://api.example-task-cloud.com/v1/sync"
def sync_headers() -> dict:
return {"Authorization": f"Bearer {SYNC_API_KEY}"}
# --- The fix (Part C) --------------------------------------------------------------------------
# Read the secret from the environment instead of committing it. Proper secret management — env
# files, secret stores, per-environment config — is Module 17. This is just enough to make the
# scanner go quiet honestly.
#
# import os
# SYNC_API_KEY = os.environ["SYNC_API_KEY"] # set it outside the repo; never commit the value