wip

Author: sebastienfontaine

.github/workflows/ci.yml

@@ -38,60 +38,64 @@ jobs:
         if: always()
         uses: davelosert/vitest-coverage-report-action@v2
 
-  semgrep_scan:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    container:
-      image: returntocorp/semgrep
-    # Skip any PR created by dependabot to avoid permission issues:
-    if: (github.actor != 'dependabot[bot]')
-    permissions:
-      security-events: write
-      actions: read
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Perform Semgrep Analysis (fails on findings)
-        run: semgrep scan -q --error --config auto --sarif -o semgrep-results.sarif .
-
-      - name: Save SARIF results as artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: semgrep-scan-results
-          path: semgrep-results.sarif
-
-      - name: Upload SARIF result to the GitHub Security Dashboard
-        if: always() && hashFiles('semgrep-results.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: semgrep-results.sarif
+#  semgrep_scan:
+#    name: semgrep/ci
+#    runs-on: ubuntu-latest
+#    container:
+#      image: returntocorp/semgrep
+#    # Skip any PR created by dependabot to avoid permission issues:
+#    if: (github.actor != 'dependabot[bot]')
+#    permissions:
+#      security-events: write
+#      actions: read
+#      contents: read
+#    steps:
+#      - name: Checkout repository
+#        uses: actions/checkout@v4
+#
+#      - name: Perform Semgrep Analysis (fails on findings)
+#        run: semgrep scan -q --error --config auto --sarif -o semgrep-results.sarif .
+#
+#      - name: Save SARIF results as artifact
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: semgrep-scan-results
+#          path: semgrep-results.sarif
+#
+#      - name: Upload SARIF result to the GitHub Security Dashboard
+#        if: always() && hashFiles('semgrep-results.sarif') != ''
+#        uses: github/codeql-action/upload-sarif@v3
+#        with:
+#          sarif_file: semgrep-results.sarif
 
   gitleaks_scan:
     name: Gitleaks Secret Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
-      - name: Run Gitleaks (fail on leaks)
-        uses: docker://gitleaks/gitleaks:latest
         with:
-          args: detect --source . --no-git --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1
+          fetch-depth: 0  # Fetch all history for all branches and tags
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}  # Only needed for Gitleaks Enterprise
 
       - name: Upload Gitleaks SARIF as artifact
-        if: always() && hashFiles('gitleaks.sarif') != ''
+        if: always() && hashFiles('results.sarif') != ''
         uses: actions/upload-artifact@v4
         with:
           name: gitleaks-scan-results
-          path: gitleaks.sarif
+          path: results.sarif
 
       - name: Upload Gitleaks SARIF to Code Scanning
-        if: always() && hashFiles('gitleaks.sarif') != ''
+        if: always() && hashFiles('results.sarif') != ''
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: gitleaks.sarif
+          sarif_file: results.sarif
+          category: gitleaks
 
   dependency_audit:
     name: Dependency Vulnerability Audit
@@ -114,50 +118,50 @@ jobs:
       - name: Audit dependencies (high severity and above)
         run: npx --yes audit-ci --package-manager yarn --severity high
 
-  codeql_sast:
-    name: CodeQL SAST
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript-typescript
-          queries: security-extended,security-and-quality
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis (generate SARIF)
-        uses: github/codeql-action/analyze@v3
-        with:
-          output: codeql-results
-          upload: true
-          wait-for-processing: true
-
-      - name: Upload CodeQL SARIF as artifact
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: codeql-scan-results
-          path: codeql-results/*.sarif
-
-      - name: Fail if CodeQL alerts found
-        run: |
-          set -euo pipefail
-          files=(codeql-results/*.sarif)
-          if [ ${#files[@]} -eq 0 ]; then
-            echo "No SARIF files found in codeql-results; skipping fail check."
-            exit 0
-          fi
-          total=$(jq '[.runs[].results | length] | add // 0' ${files[@]})
-          echo "CodeQL alerts: $total"
-          if [ "$total" -gt 0 ]; then
-            echo "Failing due to CodeQL alerts."
-            exit 1
-          fi
+#  codeql_sast:
+#    name: CodeQL SAST
+#    runs-on: ubuntu-latest
+#    steps:
+#      - name: Checkout repository
+#        uses: actions/checkout@v4
+#
+#      - name: Initialize CodeQL
+#        uses: github/codeql-action/init@v3
+#        with:
+#          languages: javascript-typescript
+#          queries: security-extended,security-and-quality
+#
+#      - name: Autobuild
+#        uses: github/codeql-action/autobuild@v3
+#
+#      - name: Perform CodeQL Analysis (generate SARIF)
+#        uses: github/codeql-action/analyze@v3
+#        with:
+#          output: codeql-results
+#          upload: true
+#          wait-for-processing: true
+#
+#      - name: Upload CodeQL SARIF as artifact
+#        if: always()
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: codeql-scan-results
+#          path: codeql-results/*.sarif
+#
+#      - name: Fail if CodeQL alerts found
+#        run: |
+#          set -euo pipefail
+#          files=(codeql-results/*.sarif)
+#          if [ ${#files[@]} -eq 0 ]; then
+#            echo "No SARIF files found in codeql-results; skipping fail check."
+#            exit 0
+#          fi
+#          total=$(jq '[.runs[].results | length] | add // 0' ${files[@]})
+#          echo "CodeQL alerts: $total"
+#          if [ "$total" -gt 0 ]; then
+#            echo "Failing due to CodeQL alerts."
+#            exit 1
+#          fi
 
   clamav_malware_scan:
     name: ClamAV Malware Scan

docs/SECURITY-TESTING.md

@@ -78,10 +78,30 @@ semgrep scan --config auto .
 brew install gitleaks  # macOS
 # or download from https://github.com/gitleaks/gitleaks/releases
 
-# Run scan
-gitleaks detect --source . --no-git
+# Run scan (detects secrets in current state)
+gitleaks detect --source . --verbose
+
+# Scan full git history (like CI does)
+gitleaks detect --source . --verbose --log-opts="--all"
+
+# Generate SARIF report (like CI)
+gitleaks detect --source . --report-path results.sarif --report-format sarif
+
+# Baseline: Create a baseline to ignore existing issues
+gitleaks detect --source . --baseline-path .gitleaks-baseline.json
 ```
 
+**Understanding output:**
+- Exit code 0: No leaks detected
+- Exit code 1: Leaks detected (pipeline will fail)
+
+**Common secret types detected:**
+- AWS keys, GCP keys, Azure keys
+- GitHub tokens, GitLab tokens
+- Database credentials
+- Private keys (RSA, SSH)
+- API keys and tokens
+
 ### Dependency Audit
 
 ```bash

docs/SECURITY.md

@@ -27,6 +27,9 @@ Tab Modifier uses multiple security scanning tools in the CI/CD pipeline to ensu
 ### 4. Gitleaks Secret Scan
 - **Purpose**: Detects hardcoded secrets, API keys, and credentials
 - **Configuration**: `.github/workflows/ci.yml` - `gitleaks_scan` job
+- **Action**: Official `gitleaks/gitleaks-action@v2`
+- **Scope**: Full git history scan (`fetch-depth: 0`)
+- **Results**: Uploaded to GitHub Security Dashboard as SARIF
 - **Action on detection**: Pipeline fails if secrets are found
 
 ### 5. Dependency Vulnerability Audit