I propose integrating CodeQL into our CI/CD pipeline. CodeQL is a powerful Static Application Security Testing (SAST) tool.

Why CodeQL?

• Deep Analysis: Unlike standard linters which mostly check for stylistic errors or simple logic flaws, CodeQL performs taint analysis over the Abstract Syntax Tree (AST). This allows it to model data flow through the application and detect security vulnerabilities (such as SQL injection or XSS) with a much higher degree of confidence. Running SAST scans on every commit and Pull Request is a modern security best practice.

• Maintained by GitHub: This is a first-party tool developed and maintained directly by GitHub.

  • This ensures seamless integration with the "Security" and "Actions" tabs in our repository.
  • Long-term stability and compatibility with GitHub Actions.
  • Regular updates based on the latest security research.

You can inspect the successful run logs and valid configuration here to see it in action:

• Workflow Run: https://github.com/duranserkan/DRN-Project/actions/runs/20662690492/workflow

• Job Details: https://github.com/duranserkan/DRN-Project/actions/runs/20662690492/job/59328518670