592930f10f
- Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1.4 KiB
1.4 KiB
Security Policy
If you believe you've found a security issue in Clawdbot, please report it privately.
Reporting
- Email:
steipete@gmail.com - What to include: reproduction steps, impact assessment, and (if possible) a minimal PoC.
Operational Guidance
For threat model + hardening guidance (including clawdbot security audit --deep and --fix), see:
https://docs.clawd.bot/gateway/security
Runtime Requirements
Node.js Version
Clawdbot requires Node.js 22.12.0 or later (LTS). This version includes important security patches:
- CVE-2025-59466: async_hooks DoS vulnerability
- CVE-2026-21636: Permission model bypass vulnerability
Verify your Node.js version:
node --version # Should be v22.12.0 or later
Docker Security
When running Clawdbot in Docker:
- The official image runs as a non-root user (
node) for reduced attack surface - Use
--read-onlyflag when possible for additional filesystem protection - Limit container capabilities with
--cap-drop=ALL
Example secure Docker run:
docker run --read-only --cap-drop=ALL \
-v clawdbot-data:/app/data \
clawdbot/clawdbot:latest
Security Scanning
This project uses detect-secrets for automated secret detection in CI/CD.
See .detect-secrets.cfg for configuration and .secrets.baseline for the baseline.
Run locally:
pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline