openclaw/.detect-secrets.cfg

# detect-secrets exclusion patterns (regex)
#
# Note: detect-secrets does not read this file by default. If you want these
# applied, wire them into your scan command (e.g. translate to --exclude-files
# / --exclude-lines) or into a baseline's filters_used.

[exclude-files]
# pnpm lockfiles contain lots of high-entropy package integrity blobs.
pattern = (^|/)pnpm-lock\.yaml$

[exclude-lines]
# Fastlane checks for private key marker; not a real key.
pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
# UI label string for Anthropic auth mode.
pattern = case \.apiKeyEnv: "API key \(env var\)"
# CodingKeys mapping uses apiKey literal.
pattern = case apikey = "apiKey"
# Schema labels referencing password fields (not actual secrets).
pattern = "gateway\.remote\.password"
pattern = "gateway\.auth\.password"
# Schema label for talk API key (label text only).
pattern = "talk\.apiKey"
# checking for typeof is not something we care about.
pattern = === "string"
# specific optional-chaining password check that didn't match the line above.
pattern = typeof remote\?\.password === "string"
# Docker apt signing key fingerprint constant; not a secret.
pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
# Credential matrix metadata field in docs JSON; not a secret value.
pattern = "secretShape": "(secret_input|sibling_ref)"
# Docs line describing API key rotation knobs; not a credential.
pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
# Docs line describing remote password precedence; not a credential.
pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
# Test fixture starts a multiline fake private key; detector should ignore the header line.
pattern = const key = `-----BEGIN PRIVATE KEY-----
# Docs examples: literal placeholder API key snippets and shell heredoc helper.
pattern = export CUSTOM_API_K[E]Y="your-key"
pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
pattern = "ap[i]Key": "xxxxx",
pattern = ap[i]Key: "A[I]za\.\.\.",
# Sparkle appcast signatures are release metadata, not credentials.
pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"
Security: add detect-secrets scan 2026-01-05 15:13:51 +02:00			`# detect-secrets exclusion patterns (regex)`
			`#`
			`# Note: detect-secrets does not read this file by default. If you want these`
			`# applied, wire them into your scan command (e.g. translate to --exclude-files`
			`# / --exclude-lines) or into a baseline's filters_used.`

			`[exclude-files]`
			`# pnpm lockfiles contain lots of high-entropy package integrity blobs.`
			`pattern = (^\|/)pnpm-lock\.yaml$`

			`[exclude-lines]`
			`# Fastlane checks for private key marker; not a real key.`
			`pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)`
			`# UI label string for Anthropic auth mode.`
			`pattern = case \.apiKeyEnv: "API key \(env var\)"`
			`# CodingKeys mapping uses apiKey literal.`
			`pattern = case apikey = "apiKey"`
			`# Schema labels referencing password fields (not actual secrets).`
			`pattern = "gateway\.remote\.password"`
			`pattern = "gateway\.auth\.password"`
			`# Schema label for talk API key (label text only).`
			`pattern = "talk\.apiKey"`
			`# checking for typeof is not something we care about.`
			`pattern = === "string"`
			`# specific optional-chaining password check that didn't match the line above.`
			`pattern = typeof remote\?\.password === "string"`
Secrets: add inline allowlist review set (#38314) * Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence 2026-03-06 19:35:26 -05:00			`# Docker apt signing key fingerprint constant; not a secret.`
			`pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=`
CI: restore main detect-secrets scan (#38438) * Tests: stabilize detect-secrets fixtures * Tests: fix rebased detect-secrets false positives * Docs: keep snippets valid under detect-secrets * Tests: finalize detect-secrets false-positive fixes * Tests: reduce detect-secrets false positives * Tests: keep detect-secrets pragmas inline * Tests: remediate next detect-secrets batch * Tests: tighten detect-secrets allowlists * Tests: stabilize detect-secrets formatter drift 2026-03-07 13:06:35 -05:00			`# Credential matrix metadata field in docs JSON; not a secret value.`
			`pattern = "secretShape": "(secret_input\|sibling_ref)"`
			`# Docs line describing API key rotation knobs; not a credential.`
			pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
			`# Docs line describing remote password precedence; not a credential.`
			pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
			pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
			`# Test fixture starts a multiline fake private key; detector should ignore the header line.`
			pattern = const key = `-----BEGIN PRIVATE KEY-----
			`# Docs examples: literal placeholder API key snippets and shell heredoc helper.`
			`pattern = export CUSTOM_API_K[E]Y="your-key"`
			`pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \\|\\| cat >> ~/.bashrc <<'EOF'`
			`pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},`
			`pattern = "ap[i]Key": "xxxxx",`
			`pattern = ap[i]Key: "A[I]za\.\.\.",`
fix: stabilize launchd paths and appcast secret scan 2026-03-09 08:37:37 +00:00			`# Sparkle appcast signatures are release metadata, not credentials.`
			`pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"`