Add CodeQL security scanning

[jhutchings1]

Hi, I'm a PM on the GitHub security team. This repository is eligible to try the new GitHub Advanced Security code scanning beta.

Code scanning runs a static analysis tool called CodeQL which scans your code at build time to find any potential security issues. We've tuned the set of queries to be only the most severe, most precise issues. We'll show alerts in the security tab, and we'll show alerts for any net new vulnerabilities on pull requests as well. We've tried to make this super developer friendly, but we'd love your feedback as we work through the beta.

If you're interested in trying it out, you can merge this pull request to set up the Actions workflow. You can also get this set up yourself in any additional repositories in this organization by following these instructions

[jhutchings1]

The CodeQL build isn't working for this project right now, so I'm looping back with the team to sort out what's happening. Closing this for now.

[orta]

This repo has a lot of bad JS/TS as a part of its compiler testing suite, you could probably start by scoping it to only handling code inside the src folder

[jhutchings1]

Thanks @orta. Our parser was definitely barfing on one of the stress testing files, so I've excluded the test assets. The build works properly now.

[sandersn]

Let's try it out.

[sandersn]

@jhutchings1 @andrewbranch noticed that this behaves badly with PRs that were opened before it was added:

do you know why the CodeQL scanner thing is going out of its way to check out the source branch head instead of the merge commit of the PR? It means every PR that was opened before it was added is failing that check, unless we manually merge/rebase with master. I guess this problem will eventually go away, but not testing the merge commit on PR checks seems like an antipattern.

[jhutchings1]

@sandersn Thanks for your feedback here! It's true that we're currently requiring that there's an analysis on the head of the PR branch, plus one on the head of the base branch so we can show PR annotations. We don't post annotations on PRs when there's not an analysis on the head of the base branch because we can't baseline the source of the alert to say for sure if it's net new in the developer's PR. We want to make sure that a contributor doesn't get blocked for debt issues that are already in the repo before they made their changes. Hope that makes sense.

We're looking at shifting to the merge commit in the future, although this will require a workflow update. cc: @rneatherway