Related Issue

Closes #1175

Summary

This pull request introduces a repository-wide GitHub CodeQL workflow to enable automated Static Application Security Testing (SAST) across the project's supported languages.

The repository already maintains CI pipelines for validation, testing, and deployment activities. However, security-focused static analysis was not part of the existing workflow set. This change integrates CodeQL scanning into GitHub Actions to provide continuous security analysis during development and review cycles.

Changes Implemented

• Added a dedicated codeql.yml GitHub Actions workflow.
• Configured CodeQL initialization for:
  • Python
  • JavaScript / TypeScript
• Enabled analysis on:
  • Pushes to the default branch
  • Pull requests targeting the default branch
• Added scheduled security scans to ensure recurring analysis of the codebase.
• Integrated results with GitHub Code Scanning Alerts.
• Leveraged GitHub-maintained CodeQL query suites for language-specific security checks and data-flow analysis.

Security Impact

The new workflow helps identify potential security issues such as:

• Unsafe user-controlled data flows
• Injection-related vulnerabilities
• Insecure coding patterns
• Language-specific security misconfigurations
• Common application security weaknesses detectable through static analysis

By shifting these checks into CI, potential issues can be surfaced earlier in the development lifecycle before code reaches production.

CI/CD Integration

The workflow has been designed to operate independently alongside existing pipelines without affecting build, test, or deployment jobs. Security scans are executed as a dedicated CI stage and findings are published directly to GitHub's Security and Code Scanning interfaces.

Validation

• Workflow syntax validated successfully.
• CodeQL configuration reviewed against GitHub's recommended setup for multi-language repositories.
• No modifications were made to application runtime logic or existing CI behavior.

Manual Verification

• Verified workflow YAML syntax and configuration
• Confirmed CodeQL matrix configuration for TypeScript and Python
• Verified workflow triggers for push, pull_request, and scheduled execution
• Confirmed SARIF upload step is configured for GitHub Code Scanning

Checklist

• My code follows the style guidelines of this project.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings or console errors.