feat: add CodeQL security analysis workflow

[abhizipstack]

What

• Add CodeQL automated security scanning for Python and JavaScript

Why

• No SAST (Static Application Security Testing) configured on the repo
• CodeQL detects security vulnerabilities: SQL injection, XSS, command injection, path traversal
• Complements SonarCloud which focuses on code quality (bugs, smells, coverage)
• Free for public repos, built into GitHub

How

• New workflow .github/workflows/codeql-analysis.yml
• Scans both Python and JavaScript in parallel
• Triggers: PRs to main, pushes to main, weekly Monday schedule
• Results appear in GitHub Security tab and as PR checks

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

• No — adds a new workflow only. No code changes. CodeQL is read-only analysis.

Database Migrations

• None

Env Config

• None — CodeQL uses built-in GITHUB_TOKEN, no additional secrets needed

Relevant Docs

• https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql

Related Issues or PRs

• SonarCloud already set up (OR-1377, PR fix: fix Minimal Tests workflow for OSS repo structure #34 merged)

Dependencies Versions

• github/codeql-action@v3

Notes on Testing

• CodeQL will run on this PR itself
• After merge: weekly scheduled scans + PR scans active
• Check results: Security tab > Code scanning alerts

Screenshots

N/A

Checklist

I have read and understood the Contribution Guidelines.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[greptile-apps]

Greptile Summary

This PR adds a new GitHub Actions workflow (.github/workflows/codeql-analysis.yml) that enables CodeQL automated security scanning for both Python and JavaScript in parallel. It is a CI/CD-only change with no impact on application code.

• Scans trigger on pushes to main, pull requests targeting main, and weekly on Mondays at 06:00 UTC
• Python and JavaScript are scanned in parallel via a matrix strategy with fail-fast: false
• Concurrency group correctly includes ${{ matrix.language }} so the two language jobs do not cancel each other (the previously flagged bug is resolved)
• Permissions are appropriately minimal: security-events: write (to post alerts) and contents: read (for checkout only)
• Results surface in the GitHub Security tab as code-scanning alerts
• No application code is changed; this is a read-only analysis addition

Confidence Score: 5/5

Safe to merge — workflow-only change with no application code impact and no new blocking issues found

Both previously flagged issues have been addressed or already noted: the concurrency group bug is fixed (matrix.language is now included in the group key), and SHA pinning was already raised in prior review threads. No new P0 or P1 issues were identified in this pass.

No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/codeql-analysis.yml	New CodeQL security scanning workflow with parallel matrix jobs; concurrency group correctly includes matrix.language, permissions are minimal and appropriate

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Event
    participant WF as CodeQL Workflow
    participant PY as analyze (python)
    participant JS as analyze (javascript)
    participant SEC as Security Tab

    GH->>WF: push to main / PR / weekly schedule
    WF->>PY: matrix job: python (parallel)
    WF->>JS: matrix job: javascript (parallel)
    PY->>PY: checkout → init CodeQL → analyze
    JS->>JS: checkout → init CodeQL → analyze
    PY-->>SEC: upload SARIF results
    JS-->>SEC: upload SARIF results

Loading

_{Reviews (2): Last reviewed commit: "fix: move concurrency inside job to avoi..." | Re-trigger Greptile}

[wicky-zipstack]

LGTM