Pre-Publish Security Protocol
Prevents security breaches like exposed credentials in open-source releases.
Features
✅ Multi-Level Scanning
- - Quick scan: Every push (~5s)
- History scan: Monthly deep dive (~2-5min)
- Dependency CVE: Weekly npm/Python check (~30s)
- Full audit: On-demand comprehensive (~3-6min)
✅ Smart Frequency Management
- - State tracking knows when each scan last ran
- Auto-determines which scans to run
- Prevents redundant checks
✅ What It Catches
- - GitHub PATs, API keys, passwords, private keys
- Secrets in git history (even if "deleted")
- npm/Python dependency CVEs
- Unsafe code patterns (eval, exec)
- Documentation placeholders (
[ORG], example.com) - Missing LICENSE/README files
- Exported environment variables with secrets
✅ Automated Protection
- - Git pre-push hook blocks bad commits
- Severity-based exit codes (CRITICAL/HIGH/MEDIUM/LOW)
- Markdown reports with actionable fixes
Quick Start
Install Pre-Push Hook
�CODEBLOCK0
Run First History Scan
�CODEBLOCK1
Check Status
�CODEBLOCK2
Run Scheduled Audits
�CODEBLOCK3
Manual Scans
CODEBLOCK4
What Gets Scanned
Quick Scan (Every Push)
- - Current file secret patterns
- Documentation placeholders
- Basic license/README presence
- Runtime: ~5 seconds
History Scan (Monthly)
- - Full git commit history
- Deleted-but-accessible credentials
- Historical security issues
- Runtime: 2-5 minutes
Dependency Scan (Weekly)
- - npm audit (Node.js CVEs)
- Python safety check
- Known vulnerabilities
- Runtime: ~30 seconds
Full Audit (On-Demand)
- - All of the above
- Environment variable leaks
- Pre-commit hook verification
- Code quality patterns
- Runtime: 3-6 minutes
Severity Levels
- - CRITICAL → Blocks push (secrets, credentials)
- HIGH → Requires approval (vulnerabilities, missing LICENSE)
- MEDIUM → Warning (TODOs, missing README)
- LOW → Informational
Integration
Pre-Push Hook (Recommended)
�CODEBLOCK5
Weekly Cron
�CODEBLOCK6
Manual Pre-Publish
�CODEBLOCK7
Files
- -
audit-simple.sh - Fast pre-push scan - INLINECODE3� - Complete scanner with tracking
- INLINECODE4� - Status & smart automation
- INLINECODE5� - Git hook installer
- INLINECODE6� - State tracking (auto-created)
- INLINECODE7� - Detailed frequency guide
- INLINECODE8� - Full documentation
- INLINECODE9� - Sub-agent definitions (future use)
Requirements
Required:
Optional (enhanced detection):
- - npm (Node.js dependency scanning)
- pip + safety (Python dependency scanning)
- shellcheck (bash script validation)
State Tracking
Automatically tracks:
- - Last run timestamp for each scan type
- Total scan counts
- Cumulative findings by severity
View with: �INLINECODE10
Exit Codes
- -
0 - Passed (no issues or low/medium only) - INLINECODE12� - Critical issues (blocks push)
- INLINECODE13� - High issues (requires review)
Real-World Example
Problem: Accidentally pushed GitHub PAT in git remote URL
Solution: This tool caught it and blocked the push
Result: Credential never exposed publicly
Use Cases
- 1. Individual Developers: Pre-push hook prevents accidents
- Open-Source Projects: Protects against contributor mistakes
- ClawHub Skills: Validates before publishing
- CI/CD: Add to GitHub Actions for automated checks
- Security Audits: Comprehensive repository review
Why This Exists
On 2026-03-15, a GitHub PAT was accidentally exposed in a git config file. This protocol ensures it never happens again - to anyone.
License
MIT - Use it, improve it, share it.
Contributing
Issues & PRs welcome at: https://github.com/solmas/pre-publish-security
预发布安全协议
防止开源版本中暴露凭证等安全漏洞。
功能特性
✅ 多层级扫描
- - 快速扫描:每次推送(约5秒)
- 历史扫描:每月深度检查(约2-5分钟)
- 依赖CVE:每周npm/Python检查(约30秒)
- 全面审计:按需综合扫描(约3-6分钟)
✅ 智能频率管理
- - 状态追踪记录每次扫描的最后运行时间
- 自动判断需要运行的扫描类型
- 防止重复检查
✅ 检测范围
- - GitHub个人访问令牌、API密钥、密码、私钥
- Git历史中的机密信息(即使已删除)
- npm/Python依赖CVE
- 不安全代码模式(eval、exec)
- 文档占位符([ORG]、example.com)
- 缺失的LICENSE/README文件
- 包含机密信息的导出环境变量
✅ 自动化保护
- - Git预推送钩子阻止不良提交
- 基于严重程度的退出码(严重/高/中/低)
- 包含可操作修复建议的Markdown报告
快速开始
安装预推送钩子
bash
每次推送自动保护
./install-hooks.sh /path/to/your/repo
运行首次历史扫描
bash
一次性深度检查(或每月执行)
./audit-full.sh /path/to/repo history
检查状态
bash
查看各扫描上次运行时间
./schedule.sh status
运行定时审计
bash
根据时间自动判断要运行的内容
./schedule.sh run /path/to/repo
手动扫描
bash
快速扫描(每次推送)
./audit-simple.sh /path/to/repo
Git历史扫描(每月)
./audit-full.sh /path/to/repo history
依赖扫描(每周)
./audit-full.sh /path/to/repo dependencies
全面审计(发布前)
./audit-full.sh /path/to/repo full
扫描内容
快速扫描(每次推送)
- - 当前文件中的机密模式
- 文档占位符
- 基本LICENSE/README存在性检查
- 运行时间: 约5秒
历史扫描(每月)
- - 完整Git提交历史
- 已删除但仍可访问的凭证
- 历史安全问题
- 运行时间: 2-5分钟
依赖扫描(每周)
- - npm审计(Node.js CVE)
- Python安全检查
- 已知漏洞
- 运行时间: 约30秒
全面审计(按需)
- - 以上所有内容
- 环境变量泄漏
- 预提交钩子验证
- 代码质量模式
- 运行时间: 3-6分钟
严重程度级别
- - 严重 → 阻止推送(机密信息、凭证)
- 高 → 需要批准(漏洞、缺失LICENSE)
- 中 → 警告(待办事项、缺失README)
- 低 → 信息提示
集成方式
预推送钩子(推荐)
bash
./install-hooks.sh ~/my-repo
git push # 自动安全检查
每周定时任务
bash
添加到OpenClaw定时任务
openclaw cron add \
--name weekly-repo-scan \
--cron 0 3
1 \
--announce \
--message 运行: ~/.openclaw/workspace/skills/pre-publish-security/schedule.sh run ~/repo
手动预发布
bash
在clawhub publish之前
./audit-full.sh ~/skills/my-skill full
clawhub publish skills/my-skill --version 1.0.1
文件说明
- - audit-simple.sh - 快速预推送扫描
- audit-full.sh - 带追踪功能的完整扫描器
- schedule.sh - 状态查看与智能自动化
- install-hooks.sh - Git钩子安装器
- audit-state.json - 状态追踪(自动创建)
- AUDIT-SCHEDULE.md - 详细频率指南
- README.md - 完整文档
- agents/ - 子代理定义(未来使用)
系统要求
必需:
可选(增强检测):
- - npm(Node.js依赖扫描)
- pip + safety(Python依赖扫描)
- shellcheck(bash脚本验证)
状态追踪
自动追踪:
- - 每种扫描类型的最后运行时间戳
- 总扫描次数
- 按严重程度累计的发现结果
查看方式:./schedule.sh status
退出码
- - 0 - 通过(无问题或仅低/中级别)
- 1 - 严重问题(阻止推送)
- 2 - 高级别问题(需要审查)
实际案例
问题: 意外在Git远程URL中推送了GitHub个人访问令牌
解决方案: 此工具检测到并阻止了推送
结果: 凭证从未公开暴露
使用场景
- 1. 个人开发者: 预推送钩子防止意外事故
- 开源项目: 防范贡献者失误
- ClawHub技能: 发布前验证
- CI/CD: 添加到GitHub Actions进行自动检查
- 安全审计: 全面的仓库审查
存在意义
2026年3月15日,一个GitHub个人访问令牌意外暴露在Git配置文件中。此协议确保此类事件不再发生——对任何人都是如此。
许可证
MIT - 使用它、改进它、分享它。
贡献方式
欢迎提交Issue和PR:https://github.com/solmas/pre-publish-security
