openclaw-ops/docs/git-hooks.md

Git Hooks / Secret Scan

This repo uses a lightweight local pre-commit hook for obvious secret hygiene.

What it does

On git commit, the hook runs:

• scripts/scan-secrets.sh

The scanner checks staged content for a small set of high-signal patterns, including:

• private key blocks
• common cloud/API token formats
• suspicious inline assignments like TOKEN=... or PASSWORD: ...

It is intentionally conservative and lightweight.

Why this exists

Goal: catch obvious mistakes before they land in git.

It is not meant to be a full secret management or DLP system.

Configuration

This repo uses a repo-local hooks path:

• .githooks/

Configured via:

git config core.hooksPath .githooks

Bypass

If the scanner throws a false positive, you can bypass it once with:

git commit --no-verify

Use that sparingly and only after reviewing the staged diff.

Maintenance

If the scanner is too noisy, tighten patterns. If it misses obvious mistakes, add narrowly targeted patterns rather than broad generic ones.