a6a3cfdc50
Co-authored-by: claude <claude@jpaul.io> Co-committed-by: claude <claude@jpaul.io>
73 lines
2.5 KiB
Bash
73 lines
2.5 KiB
Bash
#!/usr/bin/env bash
|
|
#
|
|
# security-scan.sh — the security gate for tasks-app (Module 15).
|
|
#
|
|
# Runs two scanners and exits non-zero if EITHER finds something. That non-zero exit is what turns
|
|
# a CI run red (Module 14). One script, two homes: run it by hand for fast local feedback, and call
|
|
# it from the pipeline so the same definition of "a finding" enforces the merge.
|
|
#
|
|
# These two tools (pip-audit, detect-secrets) are concrete examples of their categories — SCA and
|
|
# secret scanning. Swap in any equivalent; keep the contract the same: scan, print, fail on findings.
|
|
#
|
|
# Usage: ./security-scan.sh
|
|
# Install: pip install pip-audit detect-secrets
|
|
|
|
set -u # treat unset vars as errors; we manage exit codes explicitly below.
|
|
|
|
# A security gate must fail CLOSED. If the interpreter the secret gate needs isn't here, abort with a
|
|
# non-zero exit rather than sailing past the check and reporting a false "passed".
|
|
command -v python3 >/dev/null 2>&1 || {
|
|
echo ">> python3 is required for the secret gate but was not found. Aborting." >&2
|
|
exit 2
|
|
}
|
|
|
|
status=0
|
|
|
|
echo "=== Gate 1: SCA / dependency scan (pip-audit) ==="
|
|
if [ -f requirements.txt ]; then
|
|
if ! pip-audit -r requirements.txt; then
|
|
echo ">> SCA gate FAILED: unresolvable or vulnerable dependency. See above." >&2
|
|
status=1
|
|
fi
|
|
else
|
|
echo "(no requirements.txt found — skipping SCA)"
|
|
fi
|
|
|
|
echo
|
|
echo "=== Gate 2: secret scan (detect-secrets) ==="
|
|
# detect-secrets prints a JSON report of any secrets it finds. NOTE: with no path it scans the files
|
|
# git TRACKS, so stage the starter files (`git add`) before running this, or an untracked file is
|
|
# invisible to the gate. We parse the JSON with `python3` (no jq dependency) and fail CLOSED: the
|
|
# parser returns 0=secrets found, 1=clean, anything else=couldn't tell — and "couldn't tell" must
|
|
# count as a failure, never a silent pass.
|
|
report="$(detect-secrets scan)"
|
|
printf '%s' "$report" | python3 -c 'import sys, json
|
|
try:
|
|
found = bool(json.load(sys.stdin).get("results"))
|
|
except Exception:
|
|
sys.exit(2)
|
|
sys.exit(0 if found else 1)'
|
|
secret_rc=$?
|
|
case "$secret_rc" in
|
|
0)
|
|
echo "$report"
|
|
echo ">> SECRET gate FAILED: a credential was detected in the tree. See report above." >&2
|
|
status=1
|
|
;;
|
|
1)
|
|
echo "no secrets detected."
|
|
;;
|
|
*)
|
|
echo ">> SECRET gate ERROR: could not parse the scan output (exit $secret_rc). Failing closed." >&2
|
|
status=1
|
|
;;
|
|
esac
|
|
|
|
echo
|
|
if [ "$status" -ne 0 ]; then
|
|
echo "SECURITY GATE: FAILED" >&2
|
|
else
|
|
echo "SECURITY GATE: passed"
|
|
fi
|
|
exit "$status"
|