ci(security): add CodeQL static analysis workflow for Javascript and Python

[harmeetsingh11]

Related Issue

Closes #204

Description

Summary

This pull request introduces a dedicated GitHub CodeQL workflow to enable automated static application security testing (SAST) within the repository's CI pipeline.

The workflow is configured using GitHub's recommended CodeQL actions and provides continuous security analysis for both JavaScript and Python codebases.

Changes Implemented

• Added .github/workflows/codeql.yml
• Configured CodeQL analysis for:
  • JavaScript
  • Python
• Enabled workflow execution on:
  • push events targeting the default branch
  • pull_request events
  • Weekly scheduled scans
• Integrated official GitHub CodeQL actions:
  • github/codeql-action/init
  • github/codeql-action/autobuild
  • github/codeql-action/analyze
• Kept the workflow isolated from existing CI jobs to avoid disruption of current build and test pipelines

Why This Change?

As the repository grows, automated security analysis becomes increasingly important for maintaining code quality and reducing the likelihood of introducing security-related defects.

This workflow provides:

• Continuous security monitoring during development
• Early detection of common vulnerability patterns
• Improved visibility into potential security risks through GitHub Code Scanning
• Alignment with modern DevSecOps and secure SDLC practices
• Additional quality assurance without requiring changes to existing workflows

Validation

• Verified workflow syntax and structure against GitHub Actions standards.
• Confirmed support for both JavaScript and Python analysis.
• Ensured triggers operate independently of existing CI workflows.
• No application source code or runtime behavior was modified.

Expected Outcome

After merging:

• CodeQL scans will automatically run on pull requests and default branch updates.
• Security findings will be surfaced directly within GitHub's Code Scanning interface.
• Contributors will receive actionable security feedback earlier in the review process.
• The repository gains an additional automated security layer with minimal maintenance overhead.

Manual Verification

• Verified workflow YAML syntax and configuration
• Confirmed CodeQL matrix configuration for TypeScript and Python
• Verified workflow triggers for push, pull_request, and scheduled execution
• Confirmed SARIF upload step is configured for GitHub Code Scanning

Checklist

• My code follows the style guidelines of this project.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings or console errors.