From df9dca100680a0d6cb8cdee5c80fd50976376aec Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 4 Jul 2026 21:26:01 -0400 Subject: [PATCH] chore(security): add pinned least-privilege CodeQL scanning Continuous SAST (Python) on push/PR + weekly. Actions pinned to SHA; job-scoped permissions (security-events: write only where needed). --- .github/workflows/codeql.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8acd0b2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,27 @@ +name: codeql +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "27 3 * * 1" +permissions: + contents: read +jobs: + analyze: + name: analyze python + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: github/codeql-action/init@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3 + with: + languages: python + build-mode: none + - uses: github/codeql-action/analyze@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3 + with: + category: "/language:python"