Not propose to add CodeQL when the default is already enabled

[WikiRik]

Since a few weeks, GitHub allows a default setup for code scanning (CodeQL). If this default is enabled and you add a configuration through StepSecurity it will fail. See the logs from the sequelize repo here, especially the last two lines which contain the following error;

Error: Code Scanning could not process the submitted SARIF file:
CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled

StepSecurity should not recommend enabling CodeQL through the 'advanced' setup (through a yml file) when the 'default' is used.

[varunsh-coder]

Thanks, @WikiRik! I will try to determine how to check whether the default setup is enabled. Would you happen to know if this info is part of earlier PRs (e.g., PR comments by CodeQL)? Or, how can one tell this based on GitHub API?

This might also need a change to Scorecard. I will check there as well.

[WikiRik]

That's the thing I am unsure about. Enabling the default setup does not change the codebase of the repo in any way, so there is no PR for that. I believe therefore it can only be enabled by people with write access (but I haven't checked which if any permissions are needed). You could see if CodeQL is run under the Actions tab, like https://github.com/sequelize/sequelize/actions/workflows/github-code-scanning/codeql

I haven't looked at the GitHub API yet, but that seems like the easiest way to detect it. It might also be something that is not yet available but will be added soon since the default setup is a relatively new feature.

[WikiRik]

Update; I found something in the GitHub API that might work; https://docs.github.com/en/rest/code-scanning?apiVersion=2022-11-28#list-code-scanning-analyses-for-a-repository shows various analyses that were done and based on the tool name you can find if CodeQL was enabled. That probably is not just the default setup but also the advanced setup. But that should not be an issue I think.