Add CodeQL Multi-Language Analysis Workflow for Java and Python

[Copilot]

This PR implements a comprehensive CodeQL workflow to enable automated security analysis for Java and Python codebases. The workflow follows GitHub's current best practices for multi-language code scanning.

What's Added

• .github/workflows/codeql-analysis.yml - New CodeQL workflow that:

  • Analyzes both Java and Python code
  • Sets up JDK 17 with Temurin distribution
  • Configures Python 3.x environment
  • Uses the latest stable GitHub Actions (checkout@v4, setup-java@v4, setup-python@v5, codeql-action@v3)
  • Creates separate databases for each language
  • Uploads SARIF results for security dashboard integration

• myBuildScript - Executable build script that:

  • Handles the build process for CodeQL database creation
  • Creates proper source directory structure
  • Supports both Java and Python project layouts
  • Includes placeholder source files for testing

Workflow Features

The workflow triggers on:

• Pushes to the main branch
• Pull requests targeting main
• Manual workflow dispatch

Security permissions are properly configured to allow:

• Reading repository contents
• Writing security events for SARIF upload
• Reading workflow actions

Benefits

• Enhanced Security: Automated detection of security vulnerabilities and coding errors
• Multi-Language Support: Comprehensive analysis for both Java and Python codebases
• Modern Tooling: Uses the latest GitHub Actions for optimal performance and security
• Integration Ready: Results appear in the repository's Security tab for easy review

The implementation follows GitHub's recommended patterns for CodeQL workflows and can be easily extended to support additional languages in the future.

This pull request was created as a result of the following prompt from Copilot chat.

Replace the existing CodeQL workflow with an updated version that:

• Supports both Java and Python analysis
• Explicitly sets up JDK 17 and Python 3.x
• Uses the latest stable GitHub Actions (actions/checkout@v4, setup-java@v4, setup-python@v5, codeql-action@v3)
• Follows current best practices for multi-language analysis

Workflow file to create/replace:
.github/workflows/codeql-analysis.yml

Workflow contents:

name: "CodeQL Multi-Language Analysis"

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  codeql:
    name: CodeQL Analysis for Java and Python
    runs-on: ubuntu-latest

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '17'

      - name: Set up Python 3.x
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java, python

      - name: Build using myBuildScript
        run: ./myBuildScript

      - name: Create CodeQL databases
        run: |
          codeql database create codeql-dbs --source-root=src \
            --db-cluster --language=java,python --command=./myBuildScript

      - name: Analyze Java database
        run: |
          codeql database analyze codeql-dbs/java java-code-scanning.qls \
            --format=sarif-latest --sarif-category=java --output=java-results.sarif

      - name: Analyze Python database
        run: |
          codeql database analyze codeql-dbs/python python-code-scanning.qls \
            --format=sarif-latest --sarif-category=python --output=python-results.sarif

      - name: Upload Java SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: java-results.sarif

      - name: Upload Python SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: python-results.sarif

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/setup-java	4.*.*	🟢 6	Details Check Score Reason Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/setup-python	5.*.*	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 14 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/github/codeql-action/init	3.*.*	Unknown	Unknown
actions/github/codeql-action/upload-sarif	3.*.*	Unknown	Unknown

Scanned Files

• .github/workflows/codeql-analysis.yml