3cef7aa46b
fix(security): harden high scan findings ( #258 )
...
* fix(security): harden high scan findings
* fix(security): tighten review hardening
* fix(nanoclaw): preserve prerelease advisory matching
2026-06-07 13:00:56 +03:00
f56a0864f7
chore: update NVD/GHSA advisories - 6 NVD new, 6 NVD updated ( #251 )
...
Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-31T07:16:20Z to 2026-06-03T07:36:53.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-06-03 11:10:10 +03:00
58b092d6d0
chore: update NVD/GHSA advisories - 7 NVD new, 1 NVD updated ( #250 )
...
Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-27T06:34:09Z to 2026-05-31T07:15:12.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-31 10:32:39 +03:00
5d868bf60f
chore: update NVD/GHSA advisories - 9 NVD new, 9 NVD updated ( #247 )
...
Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-24T18:52:13Z to 2026-05-27T06:32:58.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-27 09:48:52 +03:00
2e793639f2
chore: update NVD/GHSA advisories - 0 NVD new, 1 NVD updated ( #241 )
...
Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-16T22:02:27Z to 2026-05-24T18:50:11.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-25 00:37:22 +03:00
4dbac421ab
feat(advisories): add provisional GHSA feed ( #242 )
...
* feat(advisories): add provisional ghsa feed
* fix(workflows): include advisory signatures in checksums
* fix(workflows): mirror ghsa feed at release root
* feat(advisories): consolidate ghsa into agent feed
* ci(advisories): consolidate ghsa during nvd poll
* fix(advisories): retain unreplaced ghsa feed entries
* chore(skills): bump advisory feed consumers
* fix(release): resolve ts import closure dry run
* fix(release): preserve urls while stripping comments
* fix(release): ignore skill test-only changes
* fix(advisories): follow ghsa pagination links
* test(advisories): add nvd ghsa pipeline dry run
2026-05-24 21:41:59 +03:00
0ee0d065ec
chore: CVE advisories - 0 new, 19 updated ( #233 )
...
Automated update from NVD CVE feed.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-12T06:56:03Z to 2026-05-16T22:00:50.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-17 01:04:46 +03:00
19c5113511
fix(attestation): include runtime libs in release sbom ( #235 )
...
* fix(attestation): include runtime libs in release sbom
* ci: verify staged skill release import closure
* fix(release): include missing skill runtime sbom files
* fix(release): require files for import closure
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-05-17 00:40:12 +03:00
1e48a955cc
fix(release): exclude tests from skill payloads ( #230 )
...
* fix(release): exclude tests from skill payloads
* fix(release): normalize test path filtering
* fix(release): prefer GitHub artifacts for non-OpenClaw installs
* fix(release): keep legacy ClawHub publishing
* fix(release): address skill packaging review feedback
* chore(skills): bump release versions
* feat(skills): surface recommended platforms
* docs(skills): add signed release verification
* fix(skills): normalize PR version bumps
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-05-14 14:38:58 +03:00
382ec4971b
chore: CVE advisories - 18 new, 1 updated ( #232 )
...
Automated update from NVD CVE feed.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-05-10T13:15:38Z to 2026-05-12T06:54:54.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-12 10:08:29 +03:00
6e512a5e43
chore: CVE advisories - 461 new, 0 updated ( #228 )
...
Automated update from NVD CVE feed.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-01-10T13:13:55.000Z to 2026-05-10T13:13:55.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-11 08:56:04 +03:00
369745821f
feat(traffic-guardian): add runtime monitoring skill baselines ( #217 )
...
* feat(traffic-guardian): add runtime monitoring skill baselines
* fix(traffic-guardian): align changelog and i18n fallback docs
* chore(traffic-guardian): prepare beta1 release metadata
2026-05-10 15:04:17 +03:00
85caad5601
chore: CVE advisories - 461 new, 0 updated ( #227 )
...
Automated update from NVD CVE feed.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-01-07T12:10:52.000Z to 2026-05-07T12:10:52.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-07 15:14:30 +03:00
4042a388a9
chore: CVE advisories - 0 new, 59 updated ( #215 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-30T06:50:23Z to 2026-05-03T06:48:42.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-05-03 13:28:47 +03:00
0e22d8f9bd
chore: CVE advisories - 0 new, 12 updated ( #214 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-29T06:48:08Z to 2026-04-30T06:49:19.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-30 15:04:42 +03:00
f8614a21b3
chore: CVE advisories - 53 new, 28 updated ( #213 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-28T06:52:17Z to 2026-04-29T06:46:53.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-29 19:19:03 +03:00
5e298bc1f7
chore: CVE advisories - 11 new, 16 updated ( #211 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-26T11:27:34Z to 2026-04-28T06:51:12.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-28 13:29:28 +03:00
808aefe40d
chore: CVE advisories - 1 new, 1 updated ( #207 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-24T06:36:58Z to 2026-04-26T11:26:31.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-26 14:38:45 +03:00
0d2e38ddfd
Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs ( #208 )
...
* Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs
* fix(feed): add picoclaw to core platform taxonomy and filters
* fix(picoclaw): resolve eslint errors in new skills
* chore(nvd): include picoclaw in CVE polling and cleanup report
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-04-26 14:19:18 +03:00
c53463c445
chore: CVE advisories - 31 new, 1 updated ( #205 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2026-04-22T11:03:28Z to 2026-04-24T06:36:00.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-24 20:32:13 +03:00
448a2bd577
chore: CVE advisories - 313 new, 0 updated ( #193 )
...
Automated update from NVD CVE feed.
Keywords:
Poll window: 2025-12-23T11:02:04.000Z to 2026-04-22T11:02:04.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-22 20:02:11 +03:00
26af277afd
feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) ( #200 )
...
* feat(hermes-attestation-guardian): release v0.0.2 hardening
* docs(wiki): add v0.0.2 hardening update note
* docs: add Hermes support coverage to README and compatibility report
* fix(hermes-attestation-guardian): address baz review on crontab detection and doc dedup
* feat(wiki): add PR-200 skill feature/platform matrix
* docs(wiki): rewrite PR-200 matrix as narrative capability mapping
* docs(readme): add skill feature matrix with requested headers
* docs(readme): replace unknowns with mapped yes/no feature matrix
* docs: move NanoClaw and CI/CD details from README to wiki modules
* docs(readme): remove platform/suite sections and keep wiki module pointers
* docs(readme): refresh project structure to match current repo
* feat(hermes-attestation-guardian): add signed advisory feed verification pipeline
* feat(hermes-attestation-guardian): add advisory-gated guarded skill verification
* feat(hermes-attestation-guardian): add advisory scheduler helper and phase-3 parity docs
* docs(wiki): expand hermes attestation guardian capability coverage
* fix(pr-200): address Baz review findings across Hermes parity rollout
* test(sandbox): extend Hermes regression to cover feed, guarded verify, and advisory scheduler
* fix(pr-200): address Baz semver parsing and feed-state fallback visibility
* fix(ci): suppress shellcheck false positives in sandbox inline docker script
* fix(hermes-attestation-guardian): fail closed on unsupported advisory ranges
* fix(hermes-attestation-guardian): restore safe install verdict in sandbox
* fix(sandbox): capture guarded verify exit under set -e
* fix(semver): fail closed on malformed affected specifiers
* docs(readme): clarify hermes capability matrix wording
* refactor(feed): share signed artifact verification flow
* refactor(cron): share managed block helpers across setup scripts
* fix(feed): require checksum manifest artifacts when enabled
* chore(hermes-skill): relocate sandbox test, refresh docs, and add v0.1.0 release notes
* chore(docs): remove remaining hermes parity plan file
* chore(release): roll hermes-attestation-guardian to v0.1.0
* chore(release): remove standalone v0.1.0 release notes file
* docs(hermes): update README status to v0.1.0
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-04-21 13:56:50 +03:00
d0fe8c59c4
fix(release): guard duplicate clawhub versions and bump watchdog to 0.1.4 ( #201 )
2026-04-17 10:07:45 +03:00
4d3fe1bf10
fix(clawtributor): switch to manual approval-gated reporting flow ( #198 )
2026-04-17 03:05:18 +03:00
f0f33b8121
fix(clawsec-clawhub-checker): remove suspicious install patterns ( #197 )
...
* fix(clawsec-clawhub-checker): remove mutating setup and install scraping
* fix(clawsec-clawhub-checker): harden fail-closed reputation paths
2026-04-17 03:01:08 +03:00
9e79645536
fix(clawsec-nanoclaw): isolate file io from network scan paths ( #196 )
2026-04-17 02:49:47 +03:00
e47d1e2d69
fix(clawsec-suite): reduce moderation false positives in publish payload ( #195 )
2026-04-17 02:43:57 +03:00
e6a1765a7f
fix(openclaw-audit-watchdog): avoid dangerous-exec gate false positives ( #194 )
...
* fix(openclaw-audit-watchdog): avoid dangerous-exec gate false positives
* fix(openclaw-audit-watchdog): align frontmatter runtime metadata
* fix(openclaw-audit-watchdog): normalize release version to 0.1.3
2026-04-17 02:34:45 +03:00
600c945fe2
feat(hermes-attestation-guardian): harden attestation verification and drift controls ( #192 )
...
* feat(hermes-attestation-guardian): harden attestation verification and drift controls
* docs(wiki): add human-friendly claim mapping for hermes attestation guardian
* docs(wiki): expand hermes attestation claim narratives and archive draft
* fix(attestation): address Baz review findings for schema and verifier
* fix(attestation): reject broken symlink output paths
* docs(attestation): pass clean community install guard without force
* fix(attestation): harden writes and fail-closed config parsing
* feat(ui): add Hermes to rotating platform text
* test(attestation): add sandboxed Hermes regression runner script
---------
Co-authored-by: David Abutbul <David.a@prompt.security >
2026-04-16 17:59:18 +03:00
caad6f698c
chore(skills): harden openclaw skill metadata ( #191 )
...
* chore(skills): harden openclaw skill metadata
* fix(openclaw-audit-watchdog): add dated release note heading
* chore(skills): normalize openclaw naming
* fix(soul-guardian): preserve legacy launchd state dir
* fix(soul-guardian): clean up legacy launchd labels
2026-04-14 15:43:04 +03:00
6c33384947
chore: CVE advisories - 0 new, 29 updated ( #190 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-12T06:30:25Z to 2026-04-14T06:33:41.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-14 14:09:51 +03:00
a11314faa9
chore: CVE advisories - 58 new, 0 updated ( #178 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-09T07:33:03Z to 2026-04-12T06:29:44.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-12 13:22:37 +03:00
969a902fa6
chore: CVE advisories - 1 new, 0 updated ( #176 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-08T20:59:34Z to 2026-04-09T07:32:24.000Z
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-09 10:47:15 +03:00
0cfb9b4784
chore: CVE advisories - 0 new, 4 updated ( #175 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-05T06:25:01Z to 2026-04-08T20:58:56.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-04-09 00:00:14 +03:00
9827f08769
chore(clawsec-suite): add 0.1.5 changelog entry ( #174 )
...
* chore(clawsec-suite): add 0.1.5 changelog release notes
* fix(ci): enforce release notes for bumped skills
2026-04-08 23:35:16 +03:00
b996cff4bd
fix(clawsec-suite): use release metadata for heartbeat version check ( #173 )
...
* fix(clawsec-suite): stop false heartbeat update alerts
* chore(deps): remediate npm audit vulnerabilities
* docs(heartbeats): harden release lookup and fallback behavior
* chore(skills): remove prompt-agent
* chore(clawsec-suite): bump version to 0.1.5
* fix(ci): skip removed skills in skill-release validation
2026-04-08 23:18:58 +03:00
bd6e9e284a
chore: CVE advisories - 24 new, 20 updated ( #167 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-30T06:34:41Z to 2026-04-05T06:24:22.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-04-05 12:16:06 +03:00
e0083353cf
chore: CVE advisories - 19 new, 0 updated ( #157 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-29T06:22:49Z to 2026-03-30T06:34:03.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-30 10:13:00 +03:00
01f651d6aa
chore: CVE advisories - 1 new, 32 updated ( #155 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-25T06:21:11Z to 2026-03-29T06:22:11.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-29 11:20:51 +03:00
bd17103892
chore: CVE advisories - 0 new, 25 updated ( #150 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-24T06:21:41Z to 2026-03-25T06:20:32.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-25 11:12:02 +02:00
28bf775d47
chore: CVE advisories - 28 new, 34 updated ( #149 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-20T06:16:32Z to 2026-03-24T06:21:01.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-24 13:57:22 +02:00
30bcb96a23
chore: CVE advisories - 60 new, 14 updated ( #143 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-18T06:21:47Z to 2026-03-20T06:15:50.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-23 00:39:24 +02:00
0a320d18d4
chore: CVE advisories - 16 new, 13 updated ( #141 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-15T06:18:51Z to 2026-03-18T06:21:06.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-18 12:56:05 +02:00
eb124b5f11
chore: CVE advisories - 3 new, 1 updated ( #133 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-12T06:16:01Z to 2026-03-15T06:18:13.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-15 12:23:09 +02:00
277c0abe17
chore: CVE advisories - 6 new, 20 updated ( #130 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-10T06:12:56Z to 2026-03-12T06:15:22.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-12 14:03:19 +02:00
f0f0f1db97
fix(clawsec-scanner): release 0.0.2 with real OpenClaw DAST harness ( #128 )
...
* fix(clawsec-scanner): ship real openclaw dast harness in 0.0.2
* fix(clawsec-scanner): classify ts harness limits as info coverage
* docs(wiki): add clawsec-scanner module documentation
* docs(release): add clawsec-suite install guidance to quick install text
* docs(readme): clarify standalone installs and suite optionality
* docs(readme): remove standalone quick-install block
* docs(readme): rename skill section and clarify suite start point
2026-03-10 19:27:22 +02:00
1cced651a0
chore: CVE advisories - 0 new, 20 updated ( #127 )
...
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-03-09T06:19:31Z to 2026-03-10T06:12:16.000Z
Co-authored-by: davida-ps <232346510+davida-ps@users.noreply.github.com >
2026-03-10 09:07:06 +02:00
83ce1d0bf5
fix(release): enforce changelog match for tagged skill releases ( #118 )
2026-03-09 21:30:52 +02:00
f9a7565d6f
Automated Vulnerability Scanner Skill (clawsec-scanner) ( #101 )
...
* auto-claude: subtask-1-1 - Create skill.json with SBOM, OpenClaw config, and required binaries
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-1-2 - Create SKILL.md with YAML frontmatter and documentation
* auto-claude: subtask-1-3 - Create CHANGELOG.md starting at version 0.1.0
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-1-4 - Create directory structure (scripts/, lib/, hooks/, test/)
* auto-claude: subtask-2-1 - Create lib/types.ts with Vulnerability and ScanReport interfaces
- Defined VulnerabilitySource type with 7 possible sources (npm-audit, pip-audit, osv, nvd, github, sast, dast)
- Defined SeverityLevel type with 5 severity levels (critical, high, medium, low, info)
- Created Vulnerability interface with all required fields: id, source, severity, package, version, title, description, references, discovered_at, and optional fixed_version
- Created ScanReport interface with scan_id, timestamp, target, vulnerabilities array, and summary counts
- Added HookEvent and HookContext types for OpenClaw hook integration
- Follows patterns from clawsec-suite advisory-guardian types
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-2-2 - Create lib/utils.mjs with subprocess execution and JSON parsing helpers
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-2-3 - Create lib/report.mjs for unified vulnerability re
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-3-1 - Create scripts/scan_dependencies.mjs for npm audit and pip-audit integration
- Implements npm audit JSON output parsing with non-zero exit handling
- Implements pip-audit JSON output parsing with -f json flag
- Handles missing package-lock.json/requirements.txt gracefully
- Checks for command availability (npm, pip-audit) before running
- Converts audit outputs to unified Vulnerability schema
- Generates ScanReport with UUID scan_id and timestamp
- Supports --target and --format (json|text) CLI flags
- Edge cases: missing files, unavailable commands, malformed JSON
- Verification passes: UUID scan_id matches pattern ^[0-9a-f-]{36}$
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-4-1 - Create scripts/query_cve_databases.mjs with OSV pr
Implemented CVE database integration with:
- queryOSV(): Primary CVE source using OSV API (free, no auth)
- queryNVD(): Fallback NVD API with 6s rate limiting (gated by CLAWSEC_NVD_API_KEY)
- queryGitHub(): Placeholder for future GitHub Advisory Database integration
- enrichVulnerability(): Multi-database enrichment pipeline
- Normalization to unified Vulnerability schema with severity, references, fixed versions
- Graceful error handling for network failures and API errors
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-5-1 - Create scripts/sast_analyzer.mjs to run Semgrep and Bandit
Implemented static analysis engine following scan_dependencies.mjs pattern:
- Runs Semgrep for JS/TS with --config auto and --json output
- Runs Bandit for Python with -r <path> -f json -c pyproject.toml
- Handles non-zero exit codes gracefully (tools exit 1 on findings)
- Parses JSON output and converts to unified Vulnerability schema
- Supports --target and --format CLI flags
- Gracefully handles missing tools (semgrep, bandit)
- Generates ScanReport with UUID scan_id and severity summary
Verification passed: JSON output with valid vulnerabilities array
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-6-1 - Create scripts/dast_runner.mjs with basic security test framework
- Implemented DAST framework with 4 security test cases:
- DAST-001: Hook handler malicious input test (XSS, command injection, path traversal)
- DAST-002: Hook handler timeout enforcement (30s default)
- DAST-003: Hook handler resource limits (memory/CPU)
- DAST-004: Hook handler event mutation safety
- Supports --target, --format (json|text), --timeout CLI flags
- Returns unified ScanReport with vulnerability schema
- Executes all test cases with configurable timeout
- Tests malicious input patterns: XSS, SQL injection, command injection, path traversal, null bytes, large payloads
- v1 scope: basic test framework for hook security testing (full agent workflow DAST is future work)
Verification:
- ✅ Framework loads and executes 4 test cases
- ✅ Timeout enforcement working (30s default, configurable via --timeout)
- ✅ JSON output with valid scan_id
- ✅ Text format output working
- ✅ Help output displays usage information
* auto-claude: subtask-7-1 - Create scripts/runner.sh as main entry point with CLI flag parsing
- Orchestrates all scanning engines (dependency, SAST, DAST, CVE)
- Supports --target (required), --output, --format flags
- Merges reports from all scanners using jq
- Provides --help documentation
- Follows openclaw-audit-watchdog/scripts/runner.sh pattern
- Includes skip flags for selective scanning
- Verification: --help shows --target flag
* auto-claude: subtask-8-1 - Create hooks/clawsec-scanner-hook/HOOK.md with hook metadata
- Added YAML frontmatter with hook name, description, and OpenClaw events
- Documented hook purpose: periodic vulnerability scanning on agent:bootstrap and command:new
- Described four scanning engines: dependency, SAST, DAST, CVE lookup
- Added safety contract (non-blocking, read-only, configurable interval)
- Documented all environment variables (core config, CVE integration, selective scanning, advanced options)
- Listed required binaries (node, npm, python3, pip-audit, semgrep, bandit, jq, curl)
- Follows clawsec-advisory-guardian/HOOK.md pattern
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-8-2 - Create hooks/clawsec-scanner-hook/handler.ts with event.messages mutation
- Implement hook handler following clawsec-advisory-guardian pattern
- Add rate-limited scanning with configurable interval (default 24h)
- Support event types: agent:bootstrap and command:new
- Integrate with runner.sh for vulnerability scanning
- Deduplicate vulnerabilities using state file persistence
- Filter findings by minimum severity (default: medium)
- Push scan results to event.messages array
- Support selective scanning via environment variables
- Handle failures gracefully with partial results
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-8-3 - Create scripts/setup_scanner_hook.mjs for hook installation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-1 - Create test/dependency_scanner.test.mjs for dependency scanning tests
- Created test harness (test/lib/test_harness.mjs) with test utilities
- Created comprehensive test suite with 20 tests covering:
- normalizeSeverity function (all severity levels)
- safeJsonParse function (valid, invalid, empty inputs)
- getTimestamp and generateUuid functions
- commandExists function (found and not found cases)
- generateReport function (empty and with vulnerabilities)
- formatReportJson and formatReportText functions
- Report structure validation
- Temp directory creation and cleanup
- All tests pass successfully (20/20)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-2 - Create test/cve_integration.test.mjs for CVE database API tests
Added comprehensive CVE integration tests covering:
- OSV API query and normalization
- NVD API query with rate limiting
- GitHub Advisory Database placeholder
- Multi-source enrichment
- Error handling and network failures
- Vulnerability structure validation
- Multiple ecosystem support (npm, PyPI)
Tests gracefully handle network unavailability and skip API key-dependent tests.
All 20 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-9-3 - Create test/sast_engine.test.mjs for static analysis tests
- Added comprehensive test suite for SAST engine functionality
- Tests cover Semgrep and Bandit output parsing
- Validates severity normalization and vulnerability data structures
- Includes edge case handling for malformed JSON and missing fields
- All 16 tests passing
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* auto-claude: subtask-10-2 - Run ESLint with zero warnings
- Add no-unused-vars rule with argsIgnorePattern to .mjs files in ESLint config
- Prefix unused parameters with underscore in handler.ts, dast_runner.mjs, query_cve_databases.mjs
- Remove unused error binding in handler.ts catch block
- Remove unused result variable in cve_integration.test.mjs
- Remove unused SAMPLE_OSV_VULN and SAMPLE_NVD_CVE constants
- Remove unused safeJsonParse import from query_cve_databases.mjs
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
* fix(clawsec-scanner): resolve baz logical scanner findings
* fix(clawsec-scanner): make scanner state parsing type-safe
* chore(clawsec-scanner): bump version to 0.0.1
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-03-09 21:16:22 +02:00
81c2e60513
fix(ci): temporary clawhub publish workaround for MIT-0 consent ( #117 )
...
* fix(ci): patch clawhub publish payload for temporary MIT-0 consent workaround
* fix(ci): make clawhub publish patch self-contained for tag republish
* fix(clawsec-nanoclaw): harden signature verification boundaries
* chore(clawsec-nanoclaw): bump version to 0.0.3
* fix(clawsec-nanoclaw): normalize integrity policy and baseline paths
2026-03-09 19:30:22 +02:00
davida-ps
github-actions[bot]
David Abutbul