diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 7e9d43609..c958dfb71 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "e550e83c0ea39479f43461880c55d56b3b07f010", - "syncedAt": "2026-05-02T09:26:14.912Z" + "sha": "47de32ac21e6a751d171ba78ba0f14bd8a17d777", + "syncedAt": "2026-05-02T09:42:06.854Z" } diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 18b5da40f..482818a93 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -1293,38 +1293,14 @@ If your AI does something bad: - What the attacker sent + what the agent did - Whether the Gateway was exposed beyond loopback (LAN/Tailscale Funnel/Serve) -## Secret scanning with detect-secrets +## Secret scanning -CI runs the `detect-secrets` pre-commit hook in the `secrets` job. -Pushes to `main` always run an all-files scan. Pull requests use a changed-file -fast path when a base commit is available, and fall back to an all-files scan -otherwise. If it fails, there are new candidates not yet in the baseline. +CI runs the pre-commit `detect-private-key` hook over the repository. If it +fails, remove or rotate the committed key material, then reproduce locally: -### If CI fails - -1. Reproduce locally: - - ```bash - pre-commit run --all-files detect-secrets - ``` - -2. Understand the tools: - - `detect-secrets` in pre-commit runs `detect-secrets-hook` with the repo's - baseline and excludes. - - `detect-secrets audit` opens an interactive review to mark each baseline - item as real or false positive. -3. For real secrets: rotate/remove them, then re-run the scan to update the baseline. -4. For false positives: run the interactive audit and mark them as false: - - ```bash - detect-secrets audit .secrets.baseline - ``` - -5. If you need new excludes, add them to `.detect-secrets.cfg` and regenerate the - baseline with matching `--exclude-files` / `--exclude-lines` flags (the config - file is reference-only; detect-secrets doesn’t read it automatically). - -Commit the updated `.secrets.baseline` once it reflects the intended state. +```bash +pre-commit run --all-files detect-private-key +``` ## Reporting security issues