Add CodeQL

[jschlyter]

Summary by CodeRabbit

• Chores
  • Introduced automated CodeQL code scanning that runs on pushes to main, pull requests to main, and a weekly schedule.
  • Configured analysis for GitHub Actions and Python code with no build required.
  • Publishes results to the repository’s code scanning alerts for ongoing visibility.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/codeql.yml) named “CodeQL Advanced” to run CodeQL code scanning on pushes to main, pull requests to main, and a weekly schedule, with a matrix over languages (actions, python) using build-mode: none, and steps for checkout, init, optional manual build guidance, and analyze.

Changes

Cohort / File(s)	Change Summary
CI: CodeQL Workflow .github/workflows/codeql.yml	Introduces a CodeQL scanning workflow with triggers (push, PR, schedule), matrix over languages (actions, python), dynamic runner selection, configured permissions, and steps for checkout, CodeQL init, conditional manual build-mode guidance, and analysis execution.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Job as Analyze Job
    participant CodeQL as CodeQL Action

    Dev->>GH: Push to main / Open PR / Weekly schedule
    GH->>Job: Start matrix job (language: actions|python)
    Job->>Job: Select runner (macOS for Swift else ubuntu-latest)
    Job->>Job: actions/checkout@v4
    Job->>CodeQL: github/codeql-action/init@v3 (language, build-mode: none)
    alt build-mode: manual (if configured)
        Job->>Job: Print guidance and fail step
    end
    Job->>CodeQL: github/codeql-action/analyze@v3 (category per language)
    CodeQL-->>GH: Upload results (security events)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

I nose through code with twitching cheer,
A burrow of scans keeps bugs in fear.
Hop, hop—matrix lanes align,
Queries nibble every line.
Under moonlit CI’s glow,
CodeQL tracks where shadows go. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/codeql

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

.github/workflows/codeql.yml (5)

14-21: Consider adding manual dispatch trigger for ad-hoc scans

Adding workflow_dispatch enables maintainers to run CodeQL scans on demand (e.g., after query/config changes).

Apply this diff:

 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
   schedule:
     - cron: '23 23 * * 6'
+  workflow_dispatch:

---

31-41: Tighten permissions for public repos (optional)

For public repositories, actions: read and contents: read are typically unnecessary to declare explicitly; security-events: write and (if needed) packages: read suffice. Dropping extras reduces token scope.

If this repo is public, consider:

     permissions:
       # required for all workflows
       security-events: write

-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
+      # required only if using internal/private CodeQL packs
+      packages: read

If private, current settings are fine.

---

68-80: Enable broader query suites for deeper findings

By default, CodeQL runs security-focused queries. Consider also including security-and-quality to catch correctness and maintainability issues.

Apply this diff:

       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@
-        # queries: security-extended,security-and-quality
+        queries: +security-extended,security-and-quality

The leading “+” appends to any config-defined queries instead of overriding them.

---

59-61: Pin actions to commit SHAs for supply-chain hardening

Using version tags (@v3/@v4) is common, but pinning to immutable commit SHAs is a stronger security posture.

Consider replacing:

• uses: actions/checkout@v4
  with a specific commit SHA from the action’s Releases page, and optionally keep a trailing comment with the tag, e.g.:
• uses: actions/checkout@ # v4

Repeat similarly for github/codeql-action steps below.

---

22-24: Optional: Add workflow concurrency to avoid redundant runs

Helps save CI minutes by canceling in-progress runs of the same workflow/ref (useful on PR churn).

This goes at the top level (same level as “on” and “jobs”):

 name: "CodeQL Advanced"

 on:
   push:
     branches: [ "main" ]
@@
   schedule:
     - cron: '23 23 * * 6'

+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4de7097 and e7c8d3f.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml (1 hunks)

🔇 Additional comments (6)

.github/workflows/codeql.yml (6)

1-12: LGTM: Solid baseline CodeQL workflow

Good, descriptive name and helpful commentary preserved. No functional concerns here.

---

30-30: Runner selection expression is acceptable

The boolean short-circuit expression for macOS on Swift and Ubuntu otherwise is valid and commonly used.

---

70-74: Init parameters look correct

languages and build-mode wired to matrix entries as expected.

---

81-96: Manual build guidance step is helpful

Clear instructions and explicit failure on manual mode are good safeguards.

---

97-100: Analysis step correctly categorizes per language

Category labeling aids in SARIF grouping and UI clarity.

---

42-50: Languages verified — CodeQL matrix OK for this repo

Search found 20 Python files and no JS/TS, Go, Java/Kotlin, C/C++, Ruby, Rust, Swift, or Actions workflow files.

• File under review: .github/workflows/codeql.yml (lines 42–50) — matrix includes actions and python.
• Recommendation: no changes required; keep the matrix as-is. Add other languages later if the repo adds files in those ecosystems.