feat(security): add codeql.yml for SAST scanning

[don-petry]

Summary

• Adds the required codeql.yml CodeQL Analysis workflow to resolve compliance finding Compliance: missing-codeql.yml #39
• Scans the actions ecosystem (required for repos with .github/workflows/*.yml per the CI standard)
• Triggers: push/PR to main + weekly Friday scan (12:00 PM EST)
• codeql-action pinned to v4.35.1 SHA per the Action Pinning Policy

Notes

• Job name Analyze (actions) matches the Analyze (<lang>) pattern required for branch protection checks
• permissions: {} top-level with least-privilege per-job scopes (actions: read, security-events: write, contents: read)
• All actions SHA-pinned; Dependabot will keep them updated

Closes #39

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 58 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 58 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3709bf6c-7caa-48b0-baa2-8ca6ca384684

📥 Commits

Reviewing files that changed from the base of the PR and between b1e410a and 2c2701a.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-39-20260408-2242

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds a GitHub CodeQL Analysis workflow to bring the repository into compliance with the org CI standard and enable SAST scanning for the GitHub Actions ecosystem.

Changes:

• Introduces .github/workflows/codeql.yml to run CodeQL on pushes/PRs to main and on a weekly schedule.
• Configures CodeQL to scan the actions language with least-privilege permissions and SHA-pinned actions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Self-review complete — one action item for @don-petry

The workflow is correct and all checks pass except Analyze (actions), which fails with:

Code Scanning could not process the submitted SARIF file:
CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled

This is a repository settings conflict: GitHub's Default Setup for CodeQL is still enabled. When an advanced configuration (codeql.yml) and the default setup both try to upload SARIF results, GitHub rejects the advanced one.

To fix (one-time settings change):

1. Go to Settings → Security → Code scanning
2. Under CodeQL analysis, click Switch to advanced (or disable Default setup)
3. Once switched, re-run the failed Analyze (actions) check — it will pass

This is the same fix noted in the PR #84 comment history. The workflow file itself is correct; it just cannot coexist with Default Setup.

After disabling Default Setup and re-running the check, this PR is ready to merge. @don-petry please review and merge when CI is green.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud