name: openclaw-codeql-core-auth-secrets-critical-security

disable-default-queries: true

queries:
  - uses: security-extended

query-filters:
  - include:
      precision:
        - high
        - very-high
      tags contain: security
      security-severity: /([7-9]|10)\.(\d)+/

paths:
  - src/agents/*auth*.ts
  - src/agents/**/*auth*.ts
  - src/agents/auth-health*.ts
  - src/agents/auth-profiles
  - src/agents/bash-tools.exec-host-shared.ts
  - src/agents/sandbox
  - src/agents/sandbox.ts
  - src/agents/sandbox-*.ts
  - src/config/*secret*.ts
  - src/config/**/*secret*.ts
  - src/cron/service/jobs.ts
  - src/cron/stagger.ts
  - src/gateway/*auth*.ts
  - src/gateway/**/*auth*.ts
  - src/gateway/*secret*.ts
  - src/gateway/**/*secret*.ts
  - src/gateway/protocol/**/*secret*.ts
  - src/gateway/resolve-configured-secret-input-string*.ts
  - src/gateway/security-path*.ts
  - src/gateway/server-methods/secrets*.ts
  - src/infra/secret-file*.ts
  - src/secrets
  - src/security

paths-ignore:
  - "**/node_modules"
  - "**/coverage"
  - "**/*.generated.ts"
  - "**/*.bundle.js"
  - "**/*-runtime.js"
  - "**/*.test.ts"
  - "**/*.test.tsx"
  - "**/*.e2e.test.ts"
  - "**/*.e2e.test.tsx"
  - "**/*test-support*"
  - "**/*test-helper*"
  - "**/*mock*"
  - "**/*fixture*"
  - "**/*bench*"