feat(security): CodeQL workflow + security alerts setup guide

[adm01-debug]

📋 Descrição

Adiciona camada 4 de segurança (CodeQL static analysis) e documenta as 5 camadas + os toggles UI.

🎯 Tipo de mudança

• 🚀 feat — análise estática contínua
• 📚 docs — guia consolidado de segurança

🌐 Sistemas afetados

• GitHub Actions (novo workflow CodeQL)
• GitHub Security tab (alimentada por CodeQL)
• Documentação operacional

🧪 Como validar

1. Após merge, ir em Actions → workflow CodeQL deve rodar
2. Após primeira execução completa (~5 min), conferir https://github.com/adm01-debug/Promo_Gifts/security/code-scanning
3. Toggles UI (Dependabot Alerts + Secret Scanning) cobertos por issue de tracking

✅ Checklist pré-merge

• Workflow oficial GitHub (não-fork)
• permissions mínimas (security-events: write apenas onde necessário)
• queries: security-extended (mais rigoroso que default)
• Schedule cron evita gargalo no CI de PRs

🔗 Issue relacionada

Tracking issue criada após merge.

[coderabbitai]

Warning

Rate limit exceeded

@adm01-debug has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 6 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb3b02f0-092c-49c8-be3d-e1eaeae62444

📥 Commits

Reviewing files that changed from the base of the PR and between 0c19542 and a1a5ab6.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• docs/SECURITY_ALERTS.md

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)

Validation error: String must contain at most 250 character(s) at "tone_instructions"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/p1-security-alerts-codeql

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 46 minutes and 6 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adiciona análise estática contínua via CodeQL no GitHub Actions e documenta, em um guia consolidado, como habilitar/validar os alertas de segurança (camadas de scanning e toggles na UI) no repositório.

Changes:

• Cria workflow .github/workflows/codeql.yml para CodeQL (JS/TS) com security-extended e cron semanal.
• Adiciona docs/SECURITY_ALERTS.md com explicação das camadas de defesa e passos de ativação/validação dos toggles de UI.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
docs/SECURITY_ALERTS.md	Guia operacional consolidando as camadas de segurança e como habilitar/validar alertas no GitHub.
.github/workflows/codeql.yml	Novo workflow do GitHub Actions para executar CodeQL em PR/push e por agendamento.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

A introdução diz que o repo tem "4 camadas" e que "as 2 do meio" precisam ser ativadas no UI, mas a própria tabela lista 5 camadas e, no final, você afirma que as camadas UI são 3 e 5. Ajuste o texto da introdução para ficar consistente (ex.: mencionar 5 camadas e explicitar que 3 e 5 são toggles de UI).

Suggested change

	Este repo tem 4 camadas de defesa de segurança. As 2 primeiras já estão como código (este PR adiciona a 4ª). As 2 do meio precisam ser ativadas no UI.
	Este repo tem 5 camadas de defesa de segurança. As camadas 1, 2 e 4 já estão configuradas como código (este PR adiciona a 4ª). As camadas 3 e 5 precisam ser ativadas no UI.

[Copilot]

O PR descreve que o schedule (cron) "evita gargalo no CI de PRs", mas este workflow também roda em todo pull_request contra main (além de push), o que mantém o custo no CI de PRs. Ou ajuste a descrição/guia para refletir isso, ou altere os triggers (ex.: remover pull_request ou restringir por paths/branches) para alinhar com o objetivo declarado.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.