Lesson 4 of 5
Security & Best Practice Checks
Estimated time: 8 minutes
Security & Best Practice Checks
Security vulnerabilities are the most dangerous findings in code review because they're easy to miss and expensive to fix after deployment. This lesson dives deep into how OpenClaw detects security issues and what to do when it finds them.
<Prerequisites items={["Repository connected with review rules configured", "Understanding of common web vulnerabilities (helpful, not required)", "OpenClaw Gateway running"]} />
What OpenClaw Scans For
Security Analysis Layers
┌───────────────────────────────────────────────┐
│ Layer 1: Pattern Matching │
│ SQL strings, eval(), hardcoded secrets │
├───────────────────────────────────────────────┤
│ Layer 2: Data Flow Analysis │
│ User input → database query (injection?) │
│ User input → HTML output (XSS?) │
├───────────────────────────────────────────────┤
│ Layer 3: Dependency Scanning │
│ Known CVEs in package.json / requirements │
├───────────────────────────────────────────────┤
│ Layer 4: Configuration Audit │
│ CORS, CSP headers, auth middleware │
└───────────────────────────────────────────────┘
Each layer catches different classes of vulnerabilities. Pattern matching catches the obvious stuff; data flow analysis catches the subtle chains.
OpenClaw classifies security findings into four severity levels, each with a recommended response.
| Severity | Examples | Merge Policy | SLA |
|---|---|---|---|
| CRITICAL | Hardcoded secrets, RCE | Block merge | Fix immediately |
| HIGH | SQL injection, XSS, auth bypass | Block merge | Fix before merge |
| MEDIUM | Missing rate limiting, weak crypto | Warn | Fix within sprint |
| LOW | Verbose error messages, missing headers | Suggest | Fix when convenient |
Enable the security checks that matter for your stack.
xss:
enabled: true
scan_templates: true
severity: high
secrets:
enabled: true
patterns:
- api_keys
- passwords
- tokens
- private_keys
- connection_strings
severity: critical
dependencies:
enabled: true
scan_lockfile: true
min_severity: medium # Ignore LOW CVEs
auto_suggest_fix: true
auth:
enabled: true
check_middleware: true
check_rbac: true
severity: high
headers:
enabled: true
required: [CSP, X-Frame-Options, Strict-Transport-Security]
severity: medium`}
Here's what a real security finding looks like as an inline PR comment.
File: src/app/api/users/route.ts, line 23
const user = await db.query(
SELECT * FROM users WHERE id = ${params.id} // ← HERE
);
Issue: User-supplied 'params.id' is interpolated directly into a SQL query string. An attacker can inject arbitrary SQL.
Example attack: GET /api/users/1; DROP TABLE users; --
Suggested fix: const user = await db.query( 'SELECT * FROM users WHERE id = $1', [params.id] );
Learn more: https://owasp.org/www-community/attacks/SQL_Injection`}
Every finding includes: the vulnerability type, the exact line, an explanation of why it's dangerous, an example attack, and a suggested fix with code.
When OpenClaw detects a known CVE in your dependencies, it provides actionable guidance.
Package: lodash@4.17.20 CVE: CVE-2021-23337 Severity: Medium (CVSS 7.2) Description: Prototype pollution in lodash.template
Impact: An attacker can inject properties into Object.prototype, potentially leading to denial of service or property injection.
Fix available: npm install lodash@4.17.21
Auto-fix: OpenClaw can create a commit updating this dependency. Reply "fix lodash" to apply.`}
For simple dependency updates, let OpenClaw handle it:
OpenClaw: Updating lodash 4.17.20 → 4.17.21... ✓ package.json updated ✓ package-lock.json regenerated ✓ Committed: "fix: update lodash to 4.17.21 (CVE-2021-23337)" ✓ Pushed to PR branch`}
If you prefer to handle it yourself:
Then push the updated lockfile to your PR branch.
Secret detection deserves special attention because it's the most urgent finding type.
Add rules for patterns specific to your application.
- id: no-dangerouslySetInnerHTML
pattern: "dangerouslySetInnerHTML"
severity: high
message: "Avoid dangerouslySetInnerHTML — use a sanitizer like DOMPurify."
file_types: [".tsx", ".jsx"]
- id: require-auth-middleware
context: "api_route_without_auth"
severity: high
message: "API routes must use the auth middleware."
include_paths: ["src/app/api/"]
exclude_paths: ["src/app/api/public/"]`}
For regulated industries, generate compliance reports from security findings.
openclaw code-review compliance --repo my-app --standard owasp-top-10 --period 2026-Q1
This generates a report mapping your security findings to OWASP Top 10 categories, showing which ones you've addressed and which remain open. Useful for SOC 2 audits.