How to Set Up Continuous Security Scanning for OpenClaw

# In GitHub Actions (.github/workflows/security.yml):
name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * *'  # Daily

jobs:
  dependency-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm audit --audit-level=moderate
      - run: npx audit-ci --moderate

# Add to .github/workflows/security.yml:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for secret scanning
      - name: TruffleHog Scan
        uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified
      - name: Gitleaks Scan
        uses: gitleaks/gitleaks-action@v2

# Add to .github/workflows/security.yml:
  container-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t openclaw:test .
      - name: Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: openclaw:test
          severity: HIGH,CRITICAL
          exit-code: 1

# Add CodeQL for JavaScript/TypeScript/Python:
  code-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript,python
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3

# Custom OpenClaw security scanner:
  openclaw-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Audit skills for API key leaks
        run: |
          grep -rn "sk-[a-zA-Z0-9]\{20,\}" skills/ && exit 1 || true
          grep -rn "api_key.*=.*[a-zA-Z0-9]\{20,\}" skills/ && exit 1 || true
      - name: Check for dangerous permissions
        run: |
          grep -rn "shell:.*true" skills/ && exit 1 || true

# Install Falco with OpenClaw rules:
helm install falco falcosecurity/falco \
  --set falco.rules_files.custom=/etc/falco/openclaw-rules.yaml

# Create OpenClaw Falco rules:
- rule: OpenClaw Suspicious Activity
  condition: >
    spawned_process and
    proc.pname = "openclaw" and
    (proc.name in (nc, ncat, wget, curl) or
     proc.args contains "bash -i" or
     fd.name contains "/etc/shadow")
  output: "Suspicious OpenClaw activity"
  priority: WARNING

# Configure Slack notifications in GitHub Actions:
      - name: Notify on security findings
        if: failure()
        uses: slackapi/slack-github-action@v1
        with:
          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
          payload: |
            {
              "text": "🚨 Security scan failed on ${{ github.ref }}",
              "blocks": [{
                "type": "section",
                "text": {"type": "mrkdwn", "text": "Review findings at ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}
              }]
            }

# In security-policy.md:
## Vulnerability Remediation SLAs

- CRITICAL: Fix within 24 hours of detection
- HIGH: Fix within 7 days
- MODERATE: Fix within 30 days
- LOW: Fix within 90 days or accept risk

## Escalation:
- Unresolved CRITICAL after 48h: Page on-call security lead
- Unresolved HIGH after 14 days: Escalate to engineering manager