nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Docs: update secret scan reproduction steps

This commit is contained in:
Vincent Koc 2026-03-06 14:34:39 -05:00
parent ec3df0dd8f
commit b529b7c6b7
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/gateway/security/index.md
View File

@ -1158,19 +1158,22 @@ If your AI does something bad:
## Secret Scanning (detect-secrets)
CI runs `detect-secrets scan --baseline .secrets.baseline` in the `secrets` job.
If it fails, there are new candidates not yet in the baseline.
CI runs the `detect-secrets` pre-commit hook in the `secrets` job.
It checks changed files when a base commit is available, and falls back to an
all-files scan otherwise. If it fails, there are new candidates not yet in the
baseline.
### If CI fails
1. Reproduce locally:
```bash
detect-secrets scan --baseline .secrets.baseline
pre-commit run --all-files detect-secrets
```
2. Understand the tools:
- `detect-secrets scan` finds candidates and compares them to the baseline.
- `detect-secrets` in pre-commit runs `detect-secrets-hook` with the repo's
baseline and excludes.
- `detect-secrets audit` opens an interactive review to mark each baseline
item as real or false positive.
3. For real secrets: rotate/remove them, then re-run the scan to update the baseline.