#8951: docs: Add security scan workflow template (Trivy + KICS + TruffleHog)

## Summary This PR adds security scanning examples to help OpenClaw users secure their workspaces. ## What's Included ### 1. Security Scan Workflow Template (`docs/security/scan-workflow-template.yml`) A GitHub Actions workflow template that runs: - **Trivy** - CVE/vulnerability scanning for dependencies - **KICS** - Infrastructure as Code security scanning - **TruffleHog** - Secret detection in git history Based on [Catena-X TRG 8](https://eclipse-tractusx.github.io/docs/release/trg-8/) security guidelines used in automotive/enterprise environments. ### 2. Pre-Commit Hook Guide (`docs/security/pre-commit-secrets.md`) Step-by-step instructions for setting up a local pre-commit hook that: - Scans for secrets before each commit - Blocks commits containing verified secrets - Reduces risk of accidental secret exposure ## Why This Matters - 91% of prompt injection attacks succeed against unprotected AI assistants ([source](https://www.zeroleaks.com/prompt-injection-study)) - Secrets in git history are a common attack vector - Automated scanning catches issues before they become problems ## Testing These templates have been tested and are actively used in production OpenClaw deployments. --- ## AI-Assisted Disclosure - [x] This PR was built with AI assistance (Claude Sonnet) - [x] Degree of testing: **manually validated** — templates tested in production OpenClaw deployment - [x] I understand what the templates do and have reviewed all generated output - [ ] Session logs: available on request --- ## Checklist - [x] Docs-only change (no code modified) - [x] No personal data included - [x] Generic, copy-paste templates only - [x] Documentation in English - [x] References to industry standards (Catena-X TRG 8) - [x] macOS CI failures are pre-existing upstream (unrelated to this PR)