mirror of
https://github.com/openclaw/openclaw.git
synced 2026-03-12 07:20:45 +00:00
42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
29 lines
1.2 KiB
INI
29 lines
1.2 KiB
INI
# detect-secrets exclusion patterns (regex)
|
|
#
|
|
# Note: detect-secrets does not read this file by default. If you want these
|
|
# applied, wire them into your scan command (e.g. translate to --exclude-files
|
|
# / --exclude-lines) or into a baseline's filters_used.
|
|
|
|
[exclude-files]
|
|
# pnpm lockfiles contain lots of high-entropy package integrity blobs.
|
|
pattern = (^|/)pnpm-lock\.yaml$
|
|
|
|
[exclude-lines]
|
|
# Fastlane checks for private key marker; not a real key.
|
|
pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
|
|
# UI label string for Anthropic auth mode.
|
|
pattern = case \.apiKeyEnv: "API key \(env var\)"
|
|
# CodingKeys mapping uses apiKey literal.
|
|
pattern = case apikey = "apiKey"
|
|
# Schema labels referencing password fields (not actual secrets).
|
|
pattern = "gateway\.remote\.password"
|
|
pattern = "gateway\.auth\.password"
|
|
# Schema label for talk API key (label text only).
|
|
pattern = "talk\.apiKey"
|
|
# checking for typeof is not something we care about.
|
|
pattern = === "string"
|
|
# specific optional-chaining password check that didn't match the line above.
|
|
pattern = typeof remote\?\.password === "string"
|
|
# Docker apt signing key fingerprint constant; not a secret.
|
|
pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
|