Files
ai-workflow-course/modules/15-security-scanning/lab/security-scan.sh
T
claude 2684095e2f Build out all 27 modules + capstone (#1)
Co-authored-by: claude <claude@jpaul.io>
Co-committed-by: claude <claude@jpaul.io>
2026-06-22 12:19:01 -04:00

49 lines
1.7 KiB
Bash

#!/usr/bin/env bash
#
# security-scan.sh — the security gate for tasks-app (Module 15).
#
# Runs two scanners and exits non-zero if EITHER finds something. That non-zero exit is what turns
# a CI run red (Module 14). One script, two homes: run it by hand for fast local feedback, and call
# it from the pipeline so the same definition of "a finding" enforces the merge.
#
# These two tools (pip-audit, detect-secrets) are concrete examples of their categories — SCA and
# secret scanning. Swap in any equivalent; keep the contract the same: scan, print, fail on findings.
#
# Usage: ./security-scan.sh
# Install: pip install pip-audit detect-secrets
set -u # treat unset vars as errors; we manage exit codes explicitly below.
status=0
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
if [ -f requirements.txt ]; then
if ! pip-audit -r requirements.txt; then
echo ">> SCA gate FAILED: unresolvable or vulnerable dependency. See above." >&2
status=1
fi
else
echo "(no requirements.txt found — skipping SCA)"
fi
echo
echo "=== Gate 2: secret scan (detect-secrets) ==="
# detect-secrets prints a JSON report of any secrets it finds. We treat a non-empty results set as a
# failure. `python -c` keeps this portable (no jq dependency).
report="$(detect-secrets scan)"
if printf '%s' "$report" | python -c 'import sys, json; sys.exit(0 if json.load(sys.stdin).get("results") else 1)'; then
echo "$report"
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
status=1
else
echo "no secrets detected."
fi
echo
if [ "$status" -ne 0 ]; then
echo "SECURITY GATE: FAILED" >&2
else
echo "SECURITY GATE: passed"
fi
exit "$status"