Harden secrets handling: env-var DB password + defensive .gitignore

Move hardcoded 'rootpassword' default in parser/{config,backfill_changeover, clmparser,udcparser}.py behind os.environ.get('SHOPDB_DB_PASSWORD', 'rootpassword'). Add defensive patterns (.env, *.key, *.pem, id_rsa*, secrets.*, etc.) to .gitignore across all project repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 12:50:12 -04:00
parent 0f78f76410
commit ccd29d9e4b
5 changed files with 30 additions and 10 deletions
--- a/parser/backfill_changeover.py
+++ b/parser/backfill_changeover.py
@@ -1,11 +1,9 @@
 #!/usr/bin/env python3
 """Backfill changeover values for udcparts"""
 import mysql.connector
+from config import DB_CONFIG

-conn = mysql.connector.connect(
-    host='127.0.0.1', port=3306, user='root', 
-    password='rootpassword', database='shopdb'
-)
+conn = mysql.connector.connect(**DB_CONFIG)
 cursor = conn.cursor()

 # Get all machines