chore(sync): mirror docs from openclaw/openclaw@47de32ac21

This commit is contained in:
openclaw-docs-sync[bot] 2026-05-02 09:43:55 +00:00
parent b3fb125d27
commit 2ce7fa7f37
2 changed files with 8 additions and 32 deletions

View File

@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
"sha": "e550e83c0ea39479f43461880c55d56b3b07f010",
"syncedAt": "2026-05-02T09:26:14.912Z"
"sha": "47de32ac21e6a751d171ba78ba0f14bd8a17d777",
"syncedAt": "2026-05-02T09:42:06.854Z"
}

View File

@ -1293,38 +1293,14 @@ If your AI does something bad:
- What the attacker sent + what the agent did
- Whether the Gateway was exposed beyond loopback (LAN/Tailscale Funnel/Serve)
## Secret scanning with detect-secrets
## Secret scanning
CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
Pushes to `main` always run an all-files scan. Pull requests use a changed-file
fast path when a base commit is available, and fall back to an all-files scan
otherwise. If it fails, there are new candidates not yet in the baseline.
CI runs the pre-commit `detect-private-key` hook over the repository. If it
fails, remove or rotate the committed key material, then reproduce locally:
### If CI fails
1. Reproduce locally:
```bash
pre-commit run --all-files detect-secrets
```
2. Understand the tools:
- `detect-secrets` in pre-commit runs `detect-secrets-hook` with the repo's
baseline and excludes.
- `detect-secrets audit` opens an interactive review to mark each baseline
item as real or false positive.
3. For real secrets: rotate/remove them, then re-run the scan to update the baseline.
4. For false positives: run the interactive audit and mark them as false:
```bash
detect-secrets audit .secrets.baseline
```
5. If you need new excludes, add them to `.detect-secrets.cfg` and regenerate the
baseline with matching `--exclude-files` / `--exclude-lines` flags (the config
file is reference-only; detect-secrets doesnt read it automatically).
Commit the updated `.secrets.baseline` once it reflects the intended state.
```bash
pre-commit run --all-files detect-private-key
```
## Reporting security issues