From 248580b53330affa763743f7eaf4d23cf1e8633e Mon Sep 17 00:00:00 2001 From: Dennis Konkol Date: Fri, 5 Sep 2025 23:28:11 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Add=20CodeQL=20Security=20Scanni?= =?UTF-8?q?ng?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✅ CodeQL Workflow: - Automated JavaScript/TypeScript analysis - Runs on push/PR to production branch - Weekly scheduled scans - Security events reporting 🔧 Features: - Code vulnerability detection - Dependency security scanning - Integration with GitHub Security tab - Professional security posture 🎯 Combined with existing Trivy scanning for comprehensive security coverage --- .github/workflows/codeql.yml | 46 ++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..62a9468 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,46 @@ +name: "CodeQL" + +on: + push: + branches: [ "production" ] + pull_request: + branches: [ "production" ] + schedule: + - cron: '0 0 * * 0' # Weekly scan + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}"