github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 11:08:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs: update secret scan reproduction steps

Browse Source
This commit is contained in:
Vincent Koc
2026-03-06 14:34:39 -05:00
parent ec3df0dd8f
commit b529b7c6b7
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/gateway/security/index.md
View File

@@ -1158,19 +1158,22 @@ If your AI does something bad:
## Secret Scanning (detect-secrets) ## Secret Scanning (detect-secrets)
CI runs `detect-secrets scan --baseline .secrets.baseline` in the `secrets` job. CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
If it fails, there are new candidates not yet in the baseline. It checks changed files when a base commit is available, and falls back to an
all-files scan otherwise. If it fails, there are new candidates not yet in the
baseline.
### If CI fails ### If CI fails
1. Reproduce locally: 1. Reproduce locally:
```bash ```bash
detect-secrets scan --baseline .secrets.baseline pre-commit run --all-files detect-secrets
``` ```
2. Understand the tools: 2. Understand the tools:
- `detect-secrets scan` finds candidates and compares them to the baseline. - `detect-secrets` in pre-commit runs `detect-secrets-hook` with the repo's
baseline and excludes.
- `detect-secrets audit` opens an interactive review to mark each baseline - `detect-secrets audit` opens an interactive review to mark each baseline
item as real or false positive. item as real or false positive.
3. For real secrets: rotate/remove them, then re-run the scan to update the baseline. 3. For real secrets: rotate/remove them, then re-run the scan to update the baseline.