feat: added codeQL support for security in the CI

[Achintya-Chatterjee]

Date: June 3, 2025

Developer Name: @Achintya-Chatterjee

---

Issue Ticket Number

Description

Documentation Updated?

• Yes
• No

Under Feature Flag

• Yes
• No

Database Changes

• Yes
• No

Breaking Changes

• Yes
• No

Development Tested?

• Yes
• No

Screenshots

Screenshot 1

Test Coverage

Screenshot 1

Additional Notes

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Introduced an advanced CodeQL workflow to automate security and quality analysis for multiple programming languages on pushes, pull requests, and scheduled runs.

Walkthrough

A new GitHub Actions workflow file named "CodeQL Advanced" has been added. This workflow automates security and quality analysis using CodeQL for multiple programming languages. It is configured to run on pushes and pull requests to the "develop" branch, as well as on a weekly schedule, and includes setup, initialization, and analysis steps.

Changes

File(s)	Change Summary
.github/workflows/codeql.yml	Added new workflow for multi-language CodeQL security analysis.

Poem

A CodeQL hop, a security sweep,
On "develop" branch, the checks run deep.
Python, Actions, and more in the mix,
With weekly scans and clever tricks.
From burrows of code, bugs take flight—
The rabbit ensures all’s safe and right! 🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 6

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 255efb5 and 6d4a752.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/codeql.yml

[warning] 14-14: truthy value should be one of [false, true]

(truthy)

---

[error] 16-16: too many spaces inside brackets

(brackets)

---

[error] 16-16: too many spaces inside brackets

(brackets)

---

[error] 18-18: too many spaces inside brackets

(brackets)

---

[error] 18-18: too many spaces inside brackets

(brackets)

---

[error] 46-46: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 50-50: comment not indented like content

(comments-indentation)

---

[error] 59-59: wrong indentation: expected 6 but found 4

(indentation)

🔇 Additional comments (4)

.github/workflows/codeql.yml (4)

1-11: File Header Comments
The descriptive comments are helpful for onboarding and guiding future customization; no changes needed here.

---

31-41: Permission Scope
The permissions block adheres to GitHub’s least-privilege principle by granting only the required scopes for CodeQL. Well done.

---

87-95: Manual Build Fallback
The conditional manual-build instructions and failure exit are clear and enforce explicit build steps. No changes needed here.

---

14-20:

Details

❓ Verification inconclusive

Refine Trigger Configuration and Formatting
Currently it only fires on pushes and PRs to develop. Verify whether you also want scans on main or release branches. Additionally, YAML lint flags extra spaces in the branch arrays ([ "develop" ]). For cleaner syntax and to satisfy linting, update to:

-    branches: [ "develop" ]
+    branches: ["develop"]

---

Refine CodeQL Workflow Triggers and Formatting
The CodeQL scan is currently limited to pushes and PRs on develop. Confirm whether you also want to include main or other release branches to ensure production code is scanned. Additionally, most YAML linters flag the extra spaces inside array brackets—update both sections as follows:

File: .github/workflows/codeql.yml (lines 14–20)

-    branches: [ "develop" ]
+    branches: ["develop"]

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 14-14: truthy value should be one of [false, true]

(truthy)

---

[error] 16-16: too many spaces inside brackets

(brackets)

---

[error] 16-16: too many spaces inside brackets

(brackets)

---

[error] 18-18: too many spaces inside brackets

(brackets)

---

[error] 18-18: too many spaces inside brackets

(brackets)

[coderabbitai]

🧹 Nitpick (assertive)

Workflow Name Clarity
The workflow name "CodeQL Advanced" is clear. Consider aligning it with your existing naming conventions or removing the quotes for consistency.

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml at line 12, the workflow name is set as "CodeQL
Advanced" with quotes. To maintain consistency with existing naming conventions,
remove the quotes around the workflow name or adjust it to match the style used
in other workflow files.

[coderabbitai]

🧹 Nitpick (assertive)

Perform CodeQL Analysis
The analyze action is hooked up properly. Optionally, you could specify SARIF or upload settings if you need custom formatting or external integrations; otherwise, this looks good.

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 97 to 100, the CodeQL analyze
action is correctly configured but lacks optional parameters for SARIF output or
upload settings. To enhance customization or integration, add parameters to
specify SARIF output file paths or upload options as needed. If no custom
formatting or external integration is required, no changes are necessary.

[coderabbitai]

🧹 Nitpick (assertive)

Simplify runs-on Setup
The inline conditional expression works, but you could move the OS configuration into the matrix for better readability and easier expansion:

matrix:
  include:
    - language: swift
      os: macos-latest
      build-mode: none
    - language: python
      os: ubuntu-latest
      build-mode: none
runs-on: ${{ matrix.os }}

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 30 to 31, the runs-on field uses an
inline conditional expression to select the OS based on the language, which
reduces readability and flexibility. Refactor by moving the OS configuration
into the matrix definition, adding an os key for each language entry, and then
update runs-on to simply use ${{ matrix.os }}. This change improves clarity and
makes it easier to add more languages or OS options in the future.

[coderabbitai]

🧹 Nitpick (assertive)

Initialize CodeQL Configuration
The init step correctly drives languages and build modes via the matrix. To speed up subsequent runs, consider enabling caching:

-    uses: github/codeql-action/init@v3
+    uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
+       cache: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}
	build-mode: ${{ matrix.build-mode }}
	# If you wish to specify custom queries, you can do so here or in a config file.
	# By default, queries listed here will override any specified in a config file.
	# Prefix the list here with "+" to use these queries and those in the config file.
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}
	build-mode: ${{ matrix.build-mode }}
	cache: true
	# If you wish to specify custom queries, you can do so here or in a config file.
	# By default, queries listed here will override any specified in a config file.
	# Prefix the list here with "+" to use these queries and those in the config file.

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 69 to 77, the CodeQL init step
lacks caching configuration which can speed up subsequent runs. Add a cache
option under the init step by specifying cache: true to enable caching of CodeQL
databases between workflow runs, improving performance.

[coderabbitai]

⚠️ Potential issue

Matrix include Indentation & Language Coverage
YAML lint reports the - language: entries are under-indented (expected 10 spaces, found 8), which will break the YAML. Also, double-check that all intended languages are listed. For example:

-        - language: actions
-          build-mode: none
+          - language: actions
+            build-mode: none

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: wrong indentation: expected 10 but found 8

(indentation)

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 44 to 49, the entries under matrix
include are under-indented by 2 spaces, causing YAML lint errors. Adjust the
indentation of the - language: lines and their nested build-mode lines to be 10
spaces from the left margin as expected. Also, review the matrix to ensure all
required languages for the workflow are included.

[coderabbitai]

⚠️ Potential issue

Fix Steps Indentation
The steps: block and its first step are misaligned. Adjust the indent so the dash is nested under steps: (two spaces in from the block key):

-     steps:
-     - name: Checkout repository
+       steps:
+         - name: Checkout repository

This is critical to ensure the workflow parses correctly.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 59-59: wrong indentation: expected 6 but found 4

(indentation)

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 58 to 61, the indentation of the
steps block and its first step is incorrect. Fix this by indenting the dash of
the first step two spaces under the steps key, ensuring proper YAML nesting and
correct workflow parsing.