Add GitHub Security Code Scanning (CodeQL) #19
Description
Configure GitHub Advanced Security Code Scanning for automated vulnerability detection.
Objectives
- Enable GitHub Code Scanning with CodeQL
- Add security scanning to CI pipeline
- Configure CodeQL for Rust language
- Set up automated security alerts
- Integration with GitHub Security tab
Code Scanning Features
- Static Analysis: Detect security vulnerabilities in code
- CodeQL Queries: Industry-standard security patterns
- Pull Request Integration: Scan PRs before merge
- Security Advisories: Auto-create advisories for findings
- Dashboard: View findings in Security tab
Implementation
- Create .github/workflows/codeql.yml
- Configure Rust language scanning
- Set scan schedule (weekly + on PR)
- Configure query suites (security-extended)
- Link findings to SECURITY.md
Benefits
- Automated security vulnerability detection
- Industry-standard CodeQL analysis
- Integration with GitHub Security tab
- Professional security posture
- Complements cargo-deny and cargo-audit
- Required for enterprise adoption
Rust-Specific Configuration
- Language: rust
- Query suite: security-extended
- Scan frequency: weekly + on_pull_request
- Autobuild for Cargo projects