clawdie/clawdie-ai
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
clawdie-ai/scripts/hooks/SECURITY.md
Clawdie AI ed159bbec0 Add pre-commit security hook to block sensitive data 
Implement Privacy-First Documentation strategy:
- Pre-commit hook scans staged files for credentials, IPs, usernames, domains
- Blocks commits containing: samob, smilepowered, 192.168.x.x, 10.x.x.x, password=, secret=, api_key=, token=, etc.
- Auto-generates .git/hooks/sensitive-patterns.txt and sensitive-allowlist.txt on first run
- Users can add false positives to allowlist without removing legitimate content
- Documented in scripts/hooks/SECURITY.md with customization and audit instructions
- Updated CONTRIBUTING.md with setup and troubleshooting steps

Enforcement: All contributors now have automatic sensitive data detection before push.
Benefits: Docs become safe to share publicly, prevents credential leaks, enables Privacy-First approach.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---
Build: pass | Tests: pass — Tests  489 passed | 10 skipped (499)
2026-03-23 22:58:21 +00:00

2.4 KiB
Raw Permalink Blame History

Security Hooks Documentation

Pre-Commit Sensitive Data Check

The pre-commit hook automatically scans all staged files for sensitive patterns before committing. This prevents accidentally pushing credentials, usernames, IPs, or domains to the repo.

What It Catches

Default patterns (auto-generated in sensitive-patterns.txt):

  • Usernames: samob (project-specific)
  • Domains: smilepowered (project-specific)
  • Private IPs: 192.168.x.x, 10.x.x.x, 172.16-31.x.x
  • Credentials: Lines containing password=, secret=, api_key=, token=
  • Key Material: private_key, aws_access_key, authorization: bearer

How It Works

  1. On every commit, the hook reads your staged files
  2. Scans each file against patterns in .git/hooks/sensitive-patterns.txt
  3. Checks the allowlist in .git/hooks/sensitive-allowlist.txt for false positives
  4. Blocks the commit if violations are found, with clear output
  5. Allows bypass with SKIP_SECURITY_CHECK=1 (not recommended)

Handling False Positives

If a detection is legitimate (e.g., 192.168.0.1 in a tutorial about configuring routers):

# Add to allowlist
echo "docs/router-setup.md:192\.168\." >> .git/hooks/sensitive-allowlist.txt

# Try commit again
git commit -m "Add router configuration guide"

Format: FILE:PATTERN (one per line).

Customizing Patterns

Edit .git/hooks/sensitive-patterns.txt to add project-specific patterns:

# Add new pattern
echo "mycompany\.internal|Internal company domain" >> .git/hooks/sensitive-patterns.txt

Format: REGEX|Description (pipe-separated, one per line).

Quarterly Audit

Review what's in your docs:

# Find all allowlist entries
cat .git/hooks/sensitive-allowlist.txt

# Audit docs for patterns that pass the hook
grep -rn "192\|10\." html/docs/ | head -20

Disabling (Not Recommended)

If you need to commit without the check:

SKIP_SECURITY_CHECK=1 git commit -m "Emergency fix"

This will warn you but allow the commit. Always review what you're pushing manually.

Testing the Hook

# Add a test file with a fake credential
echo "password=test123" > test-sensitive.txt
git add test-sensitive.txt

# Try to commit (should be blocked)
git commit -m "test"

# Clean up
git reset HEAD test-sensitive.txt
rm test-sensitive.txt

Last updated: 2026-03-23