feat: add security tooling with ESLint plugin and Semgrep CI

- Add eslint-plugin-security with detect-object-injection disabled
- Add pnpm audit:check script for dependency scanning
- Add GitHub Actions workflow for Semgrep SAST on push/PR
- Document security tooling and patterns in CLAUDE.md and README.md
- Add eslint-disable comments for legitimate non-literal RegExp in rss-fetcher
- Upgrade vite 5→7, vitest 1→4, @vitejs/plugin-vue 5→6

Author: charlesjones-dev

.github/workflows/security.yml

@@ -0,0 +1,29 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  semgrep:
+    name: Semgrep Scan
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        # Excluded rules produce false positives in this codebase:
+        # - unsafe-formatstring: LOG_PREFIX is a hardcoded constant, not user input
+        # - detect-non-literal-regexp: tagName/attrName are internal XML parsing params
+        run: >-
+          semgrep scan
+          --config auto
+          --config p/javascript
+          --config p/typescript
+          --exclude-rule javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
+          --exclude-rule javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          --error

CLAUDE.md

@@ -13,6 +13,8 @@ pnpm dev          # Start dev server with hot reload
 pnpm build        # Production build (runs vue-tsc first)
 pnpm test         # Run all tests once
 pnpm test:watch   # Run tests in watch mode
+pnpm lint         # Run ESLint (includes security rules)
+pnpm audit:check  # Scan dependencies for vulnerabilities
 ```
 
 **Loading the extension in Chrome:**
@@ -122,6 +124,39 @@ pnpm build        # Type check + build
 pnpm lint:fix     # Auto-fix lint issues
 pnpm format       # Auto-fix formatting
 pnpm test         # Run tests
+pnpm audit:check  # Check for vulnerable dependencies
 ```
 
 Fix any errors before considering the implementation complete.
+
+## Security
+
+### Security Tooling
+
+The project uses three layers of security scanning:
+
+1. **eslint-plugin-security** - Integrated into ESLint, runs on every `pnpm lint`
+   - Detects eval, non-literal RegExp, child_process usage, unsafe regex patterns
+   - `detect-object-injection` disabled (too many false positives with TS)
+
+2. **pnpm audit** - Dependency vulnerability scanning via `pnpm audit:check`
+   - Fails on moderate+ severity vulnerabilities
+   - Run before releases or when updating dependencies
+
+3. **Semgrep** - SAST in GitHub Actions CI (`.github/workflows/security.yml`)
+   - Runs on push/PR to main
+   - Uses `auto`, `p/javascript`, `p/typescript` rulesets
+   - Two rules excluded as false positives (see workflow comments)
+
+### Security Patterns in Codebase
+
+- **Origin validation**: `src/background/index.ts` validates content script origins against `ALLOWED_CONTENT_SCRIPT_ORIGINS`
+- **Input validation**: `src/shared/validation.ts` sanitizes all user inputs
+- **Secure storage**: API keys in `chrome.storage.local`, never in sync storage or exposed to content scripts
+- **No dynamic code**: ESLint blocks eval/Function patterns
+
+### Running Semgrep Locally
+
+```bash
+docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto --config p/javascript --config p/typescript /src
+```

README.md

@@ -230,6 +230,48 @@ See [privacy-policy.md](./privacy-policy.md) for the full privacy policy.
 
 ---
 
+## Security
+
+ReplyQueue uses multiple layers of security tooling to catch vulnerabilities early.
+
+### Static Analysis
+
+| Tool | Purpose | Command |
+|------|---------|---------|
+| `eslint-plugin-security` | Detects common security anti-patterns in JS/TS | `pnpm lint` |
+| `pnpm audit` | Scans dependencies for known CVEs | `pnpm audit:check` |
+| Semgrep | SAST scanning for injection, XSS, and more | CI only (or Docker locally) |
+
+### CI Integration
+
+The `.github/workflows/security.yml` workflow runs Semgrep on every push and PR to `main`, using:
+- `auto` - Semgrep's recommended security rules
+- `p/javascript` - JavaScript-specific security patterns
+- `p/typescript` - TypeScript-specific security patterns
+
+### Running Security Checks Locally
+
+```bash
+# ESLint security rules (included in lint)
+pnpm lint
+
+# Dependency vulnerability scan
+pnpm audit:check
+
+# Semgrep via Docker
+docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto --config p/javascript --config p/typescript /src
+```
+
+### Security Practices
+
+- **Origin validation** - Background script validates message origins against allowlist
+- **Input sanitization** - All user inputs validated before processing
+- **No eval/Function** - Dynamic code execution patterns are blocked by ESLint
+- **Secure storage** - API keys stored in `chrome.storage.local`, never exposed to content scripts
+- **CSP compliance** - Extension follows Chrome's Content Security Policy requirements
+
+---
+
 ## Troubleshooting
 
 ### Extension not loading

eslint.config.js

@@ -3,6 +3,7 @@ import tseslint from '@typescript-eslint/eslint-plugin';
 import tsparser from '@typescript-eslint/parser';
 import vue from 'eslint-plugin-vue';
 import vueParser from 'vue-eslint-parser';
+import security from 'eslint-plugin-security';
 import globals from 'globals';
 
 export default [
@@ -27,10 +28,13 @@ export default [
     plugins: {
       '@typescript-eslint': tseslint,
       vue,
+      security,
     },
     rules: {
       ...tseslint.configs.recommended.rules,
       ...vue.configs['flat/recommended'].rules,
+      ...security.configs.recommended.rules,
+      'security/detect-object-injection': 'off', // Too many false positives with TypeScript strict mode
       'vue/multi-word-component-names': 'off',
       '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
       '@typescript-eslint/no-explicit-any': 'warn',
@@ -61,9 +65,12 @@ export default [
     },
     plugins: {
       '@typescript-eslint': tseslint,
+      security,
     },
     rules: {
       ...tseslint.configs.recommended.rules,
+      ...security.configs.recommended.rules,
+      'security/detect-object-injection': 'off', // Too many false positives with TypeScript strict mode
       '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
       '@typescript-eslint/no-explicit-any': 'warn',
       'no-undef': 'off',

package.json

@@ -11,7 +11,8 @@
     "lint": "eslint src tests --max-warnings 0",
     "lint:fix": "eslint src tests --fix",
     "format": "prettier --write .",
-    "format:check": "prettier --check ."
+    "format:check": "prettier --check .",
+    "audit:check": "pnpm audit --audit-level=moderate"
   },
   "dependencies": {
     "rss-parser": "^3.13.0",
@@ -25,19 +26,20 @@
     "@types/node": "^20.11.30",
     "@typescript-eslint/eslint-plugin": "^8.53.0",
     "@typescript-eslint/parser": "^8.53.0",
-    "@vitejs/plugin-vue": "^5.0.4",
+    "@vitejs/plugin-vue": "^6.0.3",
     "autoprefixer": "^10.4.19",
     "canvas": "^3.2.1",
     "eslint": "^9.39.2",
+    "eslint-plugin-security": "^3.0.1",
     "eslint-plugin-vue": "^10.7.0",
     "globals": "^17.0.0",
     "happy-dom": "^20.0.0",
     "postcss": "^8.4.38",
     "prettier": "^3.8.0",
     "tailwindcss": "^3.4.1",
     "typescript": "^5.4.3",
-    "vite": "^5.2.6",
-    "vitest": "^1.4.0",
+    "vite": "^7.3.1",
+    "vitest": "^4.0.17",
     "vue-eslint-parser": "^10.2.0",
     "vue-tsc": "^2.0.7"
   }