feat(ci): implement security check

[hwakabh]

AsIs

Currently no functionalities for checking securities of application codes, whereas GitHub has Code Scanning.

Seems that GitHub Actions for runinng CodeQL as continer, so this might be the best options but still need to research its details.
For goals of this issue is to implement same features as using Trivy with using CodeQL, which is GitHub provided ones.
ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container#example-workflow

Justifications

SSIA

(Optional) ToDo

• Job designs with CodeQL
• Added workflows triggered in every commits in PR

[github-actions]

This issue is stale because it has been open for 14 days with no activity.

[hwakabh]

Job designs with CodeQL

Regarding pipeline design, it seems better to separate current Build CI (build.yaml) for testing purpose and building purpose.
Currently build.yaml has contained both application builds (by pack-cli + vite build) and unittests (by jest + vitest), but this could be split in another workflow such as test.yaml.

[hwakabh]

Researching about CodeQL, seems that we can do sanity PoC of them:

• as docker image: https://github.com/microsoft/codeql-container
• as GitHub Actions: https://github.com/github/codeql-action (This will be the implementation of this issue)