feat(security): add code-scanning with CodeQL

[jsjoeio]

This PR adds code-scanning using CodeQL (by GitHub) to help automatically detect common vulnerability and coding errors.

Fixes #3176

[codecov]

Codecov Report

Merging #3229 (2bf0907) into main (01e001d) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #3229   +/-   ##
=======================================
  Coverage   46.90%   46.90%           
=======================================
  Files          23       23           
  Lines        1196     1196           
  Branches      237      237           
=======================================
  Hits          561      561           
  Misses        451      451           
  Partials      184      184           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 01e001d...2bf0907. Read the comment docs.

[jawnsy]

Nice! Excellent work Mr. Previte

[jawnsy]

How are we going to handle the existing findings, are we going to fix things first, or merge and then reduce them gradually?

Looks pretty useful though!

Also seems like it might be a good idea to ignore code that we don't control (e.g. lib/vscode) if we can configure things that way

[jsjoeio]

Probably merge and reduce gradually. Seems like a solid approach.

Good idea on ignoring lib/vscode. I'll see if that's configurable

[jawnsy]

@jsjoeio Replying here so it's threaded

• @jawnsy how did you know to go here for the Code scanning alerts?

I found it by clicking looking at the Actions result, then clicking "view all alerts" - super unintuitive lmao

[jsjoeio]

I found this in the docs: Specifying Directories to Scan

It's unclear whether this needs to be in a custom codeql config file or if I can put it in the workflow file. I'm going to try adding to the workflow file.

[jsjoeio]

Also opened follow-up issue: #3243

[jsjoeio]

And...there's my answer! I'll do it the proper way instead

[jsjoeio]

It worked! https://github.com/cdr/code-server/security/code-scanning?query=ref%3Arefs%2Fpull%2F3229%2Fmerge+tool%3ACodeQL

[jsjoeio]

P.S. - @jawnsy how did you know to go here for the Code scanning alerts?

My intuitive would have told me they show up here but that's not the case 🤷‍♂️