🔍 chore: add CodeQL configuration for security scanning

[rubentalstra]

Summary

This PR introduces CodeQL security scanning to our repository. It adds a new CodeQL configuration file and a GitHub Actions workflow that automatically runs security analyses on our codebase. These changes aim to proactively detect vulnerabilities and improve the overall security posture of the project.

Changes

• .codeql-config.yml

  • Added a configuration file to define the paths for CodeQL scanning.
  • Excludes test directories and files (**/test/**, **/__tests__/**, **/*.spec.*, and **/*.test.*) to focus the analysis on production code.

• .github/workflows/codeql.yml

  • Added a new GitHub Actions workflow for CodeQL.
  • The workflow triggers on pushes and pull requests to the main branch, as well as on a scheduled basis (every Friday at 23:43).
  • It initializes CodeQL for the specified languages (currently using the javascript-typescript configuration) and performs a security analysis based on our custom configuration.
  • Provides an optional section for a manual build step if needed for specific languages.

Motivation and Context

Integrating CodeQL into our CI pipeline helps us automatically scan for security vulnerabilities and bugs, ensuring our code remains secure as it evolves. By excluding test files from the analysis, we reduce noise and focus on critical production code. This change aligns with our commitment to security best practices and continuous improvement of our code quality.

Testing

• Locally:

  • Verify the presence of the new configuration and workflow files in your local repository.

• CI/CD:

  • Open a pull request or push to the main branch to trigger the CodeQL workflow.
  • Monitor the GitHub Actions tab to ensure that the CodeQL analysis runs successfully.

Checklist

• My code adheres to this project's style guidelines.
• I have performed a self-review of my changes.
• The new CodeQL configuration excludes non-production files.
• The CodeQL workflow is configured to run on pushes, pull requests, and a weekly schedule.
• Documentation and comments have been added where necessary.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.