Files
ai-workflow-course/modules/15-security-scanning/lab/ci-security.yml
T
claude fbec36cb67 feat(course): build out all 27 modules, capstone, scaffold, and conventions
Scaffold the course repo and author the full curriculum in dependency-chain
order, following the settled build decisions in handoff.md.

- Scaffold: course README, vendor-neutral AGENTS.md (dogfoods Module 5),
  _TEMPLATE.md (the fixed 9-section module shape), root .gitignore, ship config.
- Modules 1-2: reference exemplars (locked for tone/depth/lab style).
- Modules 3-27: full lessons + runnable labs, each following the template,
  respecting the chain, vendor/model-agnostic, with "feel the pain" labs.
- Module 8 hosting comparison web-researched and date-stamped (as of 2026-06-22),
  not written from memory; expansion-zone modules carry Verify-before-publish.
- Capstone: the full loop end to end on the running tasks-app example.

Lab code syntax-checked (Python/shell/YAML); every module has the 7 core
template sections.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 12:18:30 -04:00

43 lines
1.7 KiB
YAML

# ci-security.yml — the security gate as a CI step (Module 15).
#
# This is a PROVIDER-NEUTRAL snippet, not a drop-in file. The YAML below uses the widely-shared
# "workflow / job / steps" shape that most hosted and self-hosted CI systems understand (the exact
# top-level keys and runner labels follow whatever host you set up in Module 14). Copy the *steps*
# into the pipeline you already have rather than adding a second, competing workflow.
#
# The contract is the same on every platform:
# 1. check out the code
# 2. install the scanners
# 3. run the gate (security-scan.sh), which exits non-zero on any finding -> the job goes red
#
# Because the real logic lives in security-scan.sh, this file stays tiny and your local run and your
# CI run can never drift apart.
name: security
on: [push, pull_request] # run on the same events as your Module 14 build/test job
jobs:
security-scan:
runs-on: ubuntu-latest # or your self-hosted runner label (Module 19)
steps:
- name: Check out the code
uses: actions/checkout@v4
# Secret scanning cares about history. If your tool scans commits (not just the working
# tree), fetch full history here — e.g. set `with: { fetch-depth: 0 }`.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install scanners
run: pip install pip-audit detect-secrets
- name: Run the security gate
run: |
chmod +x security-scan.sh
./security-scan.sh
# Non-zero exit fails the job. Require this job to pass before merge (branch protection on
# your remote, Module 8/10) and the gate actually has teeth.