gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
63de5ce08d5442d772f9000768965bfcbd476dcb
clawsec/skills/openclaw-audit-watchdog/examples/README.md
T
davida-ps 63de5ce08d Security Audit Suppression Mechanism (fulfills https://github.com/prompt-security/clawsec/issues/25) (#40) 
* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback

Created load_suppression_config.mjs with:
- Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json
- Environment variable support (OPENCLAW_AUDIT_CONFIG)
- Custom path support via CLI argument
- Schema validation (checkId, skill, reason, suppressedAt required)
- Malformed JSON error handling
- Graceful fallback to empty suppressions when no config exists
- ISO 8601 date format validation with warnings

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-1-2 - Create example config file template

- Added security-audit-config.example.json with two suppression examples
- Included examples for clawsec-suite and openclaw-audit-watchdog
- Created comprehensive README.md explaining configuration format
- All required fields documented (checkId, skill, reason, suppressedAt)
- ISO 8601 date format demonstrated
- JSON validated successfully

* auto-claude: subtask-1-3 - Add unit tests for config loading

Added comprehensive unit tests for suppression config loading:
- Valid config with all required fields
- Malformed date warning (non-blocking)
- Missing required field validation
- Malformed JSON error handling
- File not found graceful fallback
- Custom path priority
- Environment variable override
- Missing/empty suppressions array handling

All 10 tests passing.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs

Implements suppression filtering logic for security audit findings:
- Import loadSuppressionConfig for config loading
- Add --config CLI argument for custom config paths
- Create extractSkillName() to extract skill names from findings (tries multiple fields)
- Create filterFindings() to split findings into active/suppressed
- Match suppressions by BOTH checkId AND skill name (exact match required)
- Attach suppression metadata (reason, suppressedAt) to suppressed findings
- Modify render() to accept suppressedFindings parameter
- Apply filtering in main execution before rendering

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output

- Added lineForSuppressedFinding() to format suppressed findings
- Added INFO-SUPPRESSED section showing suppressed findings with reason and date
- Suppressed findings are not counted in summary (already filtered)
- Follows existing code patterns for report sections

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh

- Added --config flag to accept path to config file
- Added --help flag with usage documentation
- Config flag is passed to openclaw audit commands when provided
- Follows existing pattern for --label flag

* auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions

Created comprehensive integration tests covering:
- Suppressed findings appear in INFO-SUPPRESSED section
- Active findings appear in CRITICAL/WARN section
- Summary counts exclude suppressed findings
- Backward compatibility (no config)
- Partial matches don't suppress (checkId or skill alone)
- Multiple suppressions work correctly
- Skill name extraction from path field
- Skill name extraction from title field
- Empty suppressions array behaves like no config

Bug fix in render_report.mjs:
- Summary counts now recalculated after filtering suppressed findings
- Previously summary showed original counts instead of filtered counts

All 10 tests passing.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit

- Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs
- Enhanced lineForFinding() to display skill names for better clarity
- Enhanced lineForSuppressedFinding() to display skill names consistently
- Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md
- All E2E verification points passed:
  * Config loading from custom paths
  * Suppression matching by checkId + skill name
  * INFO-SUPPRESSED section display
  * Suppression reason and date display
  * Summary count accuracy (excludes suppressed findings)
  * Non-suppressed findings preservation
  * Skill name display in all findings
- All integration tests still passing (10/10)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* auto-claude: subtask-5-1 - Update README.md with suppression feature

* auto-claude: subtask-5-2 - Update SKILL.md with usage examples

* - Add backslash escaping before quote escaping in oneline() function
- Prevents incomplete string escaping vulnerability
- Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16

* Fix regex in extractSkillName function and simplify error handling in suppression config tests

* Enhance suppression mechanism in OpenClaw Audit Watchdog

- Updated README.md to clarify suppression configuration and activation requirements.
- Improved SKILL.md with examples for suppressing known findings.
- Refactored load_suppression_config.mjs to implement opt-in gating for suppressions.
- Modified render_report.mjs to support suppression flag in report generation.
- Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag.
- Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior.
- Introduced new test files for empty and invalid suppression configurations.

* Fix type assertion for checksums file entries in Checksums component

* Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0

* Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements

* Refactor finding comparison logic in render_report.mjs to simplify equality checks

* chore(clawsec-suite): bump version to 0.1.2

* chore(openclaw-audit-watchdog): bump version to 0.1.0

* Remove suppressed matches tracking from state to prevent re-evaluation alerts

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-16 18:55:06 +02:00

3.3 KiB
Raw Blame History

Security Audit Configuration Examples

Overview

This directory contains example configuration files for the OpenClaw security audit suppression mechanism.

Configuration File Format

The suppression configuration file must be valid JSON with the following structure:

{
  "suppressions": [
    {
      "checkId": "skills.code_safety",
      "skill": "clawsec-suite",
      "reason": "First-party security tooling, reviewed 2026-02-13",
      "suppressedAt": "2026-02-13"
    }
  ]
}

Required Fields

Each suppression entry must include:

  • checkId (string, required): The security check identifier that flagged the finding

    • Example: "skills.code_safety", "skills.permissions", "skills.network"

  • skill (string, required): The exact skill name being suppressed

    • Example: "clawsec-suite", "openclaw-audit-watchdog"

  • reason (string, required): Justification for the suppression (audit trail)

    • Example: "First-party security tooling, reviewed 2026-02-13"
    • Example: "False positive - validated by security team on 2026-02-10"

  • suppressedAt (string, required): ISO 8601 date when suppression was added

    • Format: YYYY-MM-DD
    • Example: "2026-02-13"

Configuration File Locations

The suppression config is loaded from these locations (in priority order):

  1. Custom path: Specified via --config flag
  2. Environment variable: OPENCLAW_AUDIT_CONFIG env var
  3. Primary default: ~/.openclaw/security-audit.json
  4. Fallback: .clawsec/allowlist.json

If no config file is found, the audit runs normally without suppressions (backward compatible).

Usage Examples

Basic Setup

  1. Copy the example config:
mkdir -p ~/.openclaw
cp security-audit-config.example.json ~/.openclaw/security-audit.json

  1. Customize the suppressions for your needs

  2. Run the audit:

openclaw security audit --deep

Using Custom Config Path

openclaw security audit --deep --config /path/to/custom-config.json

Managing False Positives

When you encounter a false positive:

  1. Identify the checkId and skill name from the audit report
  2. Add a suppression entry with a clear reason
  3. Include the current date in ISO format
  4. Re-run the audit to verify the suppression works

Example suppression entry:

{
  "checkId": "skills.permissions",
  "skill": "my-internal-tool",
  "reason": "Broad permissions required for legitimate functionality, approved by security team",
  "suppressedAt": "2026-02-16"
}

Important Notes

  • Transparency: Suppressed findings remain visible in the audit report under "INFO - SUPPRESSED"
  • Matching: Suppressions require BOTH checkId AND skill to match (prevents over-suppression)
  • Audit Trail: Always document the reason and date for compliance
  • Validation: The config is validated on load - malformed JSON will produce a clear error

Example Use Case: First-Party Tools

The example config demonstrates suppressing false positives for ClawSec's own security tools:

  • clawsec-suite: Legitimately executes CLI commands for security scanning
  • openclaw-audit-watchdog: Legitimately accesses environment variables for auditing

These tools are flagged as "dangerous" by the security scanner but are safe first-party tools that have been reviewed.

Reference in New Issue View Git Blame Copy Permalink