wip

Author: sebastienfontaine

.github/workflows/ci.yml

@@ -158,3 +158,44 @@ jobs:
             echo "Failing due to CodeQL alerts."
             exit 1
           fi
+
+  clamav_malware_scan:
+    name: ClamAV Malware Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install ClamAV
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clamav clamav-daemon
+
+      - name: Update ClamAV database
+        run: |
+          sudo systemctl stop clamav-freshclam || true
+          sudo freshclam --verbose
+
+      - name: Scan repository with ClamAV
+        run: |
+          echo "Starting ClamAV scan of repository..."
+          clamscan -r -i --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist . > clamav-scan.log 2>&1 || true
+          cat clamav-scan.log
+
+      - name: Check for infections
+        run: |
+          if grep -q "Infected files: 0" clamav-scan.log; then
+            echo "✅ No malware detected!"
+            exit 0
+          else
+            echo "❌ Malware detected! Check the scan log."
+            grep "FOUND" clamav-scan.log || true
+            exit 1
+          fi
+
+      - name: Upload ClamAV scan log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-scan-log
+          path: clamav-scan.log

docs/SECURITY-TESTING.md

@@ -0,0 +1,147 @@
+# Security Testing Guide
+
+This guide explains how to run security scans locally before pushing to CI.
+
+## ClamAV Malware Scan
+
+### Installation
+
+**macOS:**
+```bash
+brew install clamav
+```
+
+**Ubuntu/Debian:**
+```bash
+sudo apt-get update
+sudo apt-get install clamav clamav-daemon
+```
+
+### Update Virus Database
+
+```bash
+# Stop the freshclam daemon if running
+sudo systemctl stop clamav-freshclam  # Linux
+# or
+brew services stop clamav  # macOS
+
+# Update the database
+sudo freshclam
+# or
+freshclam  # if running as user
+```
+
+### Run Scan Locally
+
+```bash
+# Scan the repository (excluding node_modules, .git, dist)
+clamscan -r -i --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=dist .
+```
+
+**Options:**
+- `-r` : Recursive scan
+- `-i` : Only show infected files
+- `--exclude-dir` : Exclude specific directories
+
+### Expected Output
+
+If no malware is detected:
+```
+----------- SCAN SUMMARY -----------
+Known viruses: 8700000
+Engine version: 1.0.0
+Scanned directories: X
+Scanned files: XXX
+Infected files: 0
+Data scanned: XX.XX MB
+Time: XX.XXX sec (X m XXs)
+Start Date: YYYY:MM:DD HH:MM:SS
+End Date:   YYYY:MM:DD HH:MM:SS
+```
+
+## Other Security Scans
+
+### Semgrep
+
+```bash
+# Install
+pip install semgrep
+
+# Run scan
+semgrep scan --config auto .
+```
+
+### Gitleaks (Secret Detection)
+
+```bash
+# Install
+brew install gitleaks  # macOS
+# or download from https://github.com/gitleaks/gitleaks/releases
+
+# Run scan
+gitleaks detect --source . --no-git
+```
+
+### Dependency Audit
+
+```bash
+# Check for vulnerable dependencies
+npx audit-ci --package-manager yarn --severity high
+```
+
+### All Tests
+
+```bash
+# Run unit tests with coverage
+yarn test
+yarn coverage
+```
+
+## Continuous Integration
+
+All these scans run automatically in GitHub Actions on every push:
+
+- **Test** : Unit tests with coverage
+- **Semgrep** : SAST security scanning
+- **CodeQL** : Advanced security analysis
+- **Gitleaks** : Secret detection
+- **Dependency Audit** : npm/yarn vulnerability check
+- **ClamAV** : Malware detection
+
+Check `.github/workflows/ci.yml` for the full CI configuration.
+
+## Troubleshooting
+
+### ClamAV Database Update Fails
+
+If `freshclam` fails with permission errors:
+```bash
+sudo freshclam
+```
+
+If it fails because the daemon is running:
+```bash
+# Linux
+sudo systemctl stop clamav-freshclam
+sudo freshclam
+sudo systemctl start clamav-freshclam
+
+# macOS
+brew services stop clamav
+freshclam
+brew services start clamav
+```
+
+### ClamAV Scan Takes Too Long
+
+Use the `-i` flag to only show infected files and speed up output:
+```bash
+clamscan -r -i --exclude-dir=node_modules .
+```
+
+### False Positives
+
+If ClamAV reports a false positive:
+1. Verify the file is legitimate
+2. Report to ClamAV: https://www.clamav.net/reports/fp
+3. Add to exclusion list if needed

docs/SECURITY.md

@@ -2,6 +2,39 @@
 
 This document describes security measures implemented in Tab Modifier.
 
+## CI/CD Security Scanning
+
+Tab Modifier uses multiple security scanning tools in the CI/CD pipeline to ensure code quality and security:
+
+### 1. ClamAV Malware Scan
+- **Purpose**: Detects viruses, trojans, and other malware in the codebase
+- **Frequency**: On every push to any branch
+- **Configuration**: `.github/workflows/ci.yml` - `clamav_malware_scan` job
+- **Coverage**: Scans all files except `node_modules`, `.git`, and `dist`
+- **Action on detection**: Pipeline fails if malware is detected
+
+### 2. Semgrep SAST (Static Application Security Testing)
+- **Purpose**: Detects security vulnerabilities and code quality issues
+- **Configuration**: `.github/workflows/ci.yml` - `semgrep_scan` job
+- **Results**: Uploaded to GitHub Security Dashboard as SARIF
+
+### 3. CodeQL SAST
+- **Purpose**: Advanced semantic code analysis for security vulnerabilities
+- **Configuration**: `.github/workflows/ci.yml` - `codeql_sast` job
+- **Queries**: `security-extended` and `security-and-quality`
+- **Results**: Uploaded to GitHub Security Dashboard
+
+### 4. Gitleaks Secret Scan
+- **Purpose**: Detects hardcoded secrets, API keys, and credentials
+- **Configuration**: `.github/workflows/ci.yml` - `gitleaks_scan` job
+- **Action on detection**: Pipeline fails if secrets are found
+
+### 5. Dependency Vulnerability Audit
+- **Purpose**: Checks for known vulnerabilities in npm/yarn dependencies
+- **Configuration**: `.github/workflows/ci.yml` - `dependency_audit` job
+- **Severity**: Fails on HIGH severity and above
+- **Tool**: `audit-ci` with yarn
+
 ## ReDoS (Regular Expression Denial of Service) Protection
 
 ### Background