Add CodeQL security analysis

[newmattock]

Summary

• add a CodeQL workflow that scans the JavaScript and TypeScript codebase on pushes to main and pull requests
• document the CodeQL Security tab baseline and high/critical alert triage expectations in SECURITY.md

Fixes #417

Payment signal: Stellar Wave, 75 points.

Validation

• git diff --check
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/codeql.yml"); puts "workflow yaml parsed"'

Note: actionlint is not installed in this local environment. The first repository CodeQL run will produce the baseline Security tab result.

Summary by CodeRabbit

• Chores

  • Implemented CodeQL security analysis workflow for JavaScript and TypeScript
  • Configured to run on every pull request and push to main branch
  • Security findings are automatically reported to GitHub Security tab

• Documentation

  • Added Static Security Analysis section to security policy
  • Documents automated scanning procedures and finding review guidelines

[vercel]

@newmattock is attempting to deploy a commit to the ritik4ever's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Review limit reached

@ritik4ever, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2a9db397-81df-4c92-bb1a-f9fa67936ab6

📥 Commits

Reviewing files that changed from the base of the PR and between 278b967 and dd1ea23.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• SECURITY.md

📝 Walkthrough

Walkthrough

This PR adds CodeQL static security analysis for the JavaScript/TypeScript codebase by introducing a GitHub Actions workflow that scans on every push to main and all pull requests, complemented by security policy documentation describing the scanning process and alert review guidance.

Changes

CodeQL Security Analysis Setup

Layer / File(s)	Summary
CodeQL Workflow and Documentation .github/workflows/codeql.yml, SECURITY.md	GitHub Actions workflow initializes and runs CodeQL for JavaScript/TypeScript with minimal permissions (read for actions and contents, write for security-events); SECURITY.md documents the scanning cadence, results visibility in the GitHub Security tab, and maintainer responsibilities for reviewing and prioritizing alerts.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• `ci: add GitHub Actions workflow for Soroban contract build and test #284`: Adds identical CodeQL GitHub Actions workflow and SECURITY.md documentation to enable JavaScript/TypeScript static analysis; directly related parallel implementation.

Poem

🐰 A rabbit hops through code so bright,
CodeQL scanning day and night,
Security alerts now in sight,
main branch stays secure and tight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add CodeQL security analysis' accurately and concisely summarizes the main change, directly reflecting the addition of CodeQL security scanning to the repository.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #417: adds a GitHub Actions CodeQL workflow scanning JavaScript/TypeScript, configures it for main branch pushes and PRs, documents the setup in SECURITY.md, and includes proper security event permissions.
Out of Scope Changes check	✅ Passed	All changes are directly within scope: the .github/workflows/codeql.yml workflow implementation and SECURITY.md documentation align precisely with issue #417's requirements for CodeQL security analysis.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 19-20: The checkout step "Checkout repository" using
actions/checkout@v4 is persisting the GitHub token; update that step to include
a with block that sets persist-credentials: false so credentials are not written
to .git/config (i.e., modify the checkout step for actions/checkout@v4 to
include with: persist-credentials: false).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a0bd46f3-1682-4188-9a15-153b838af170

📥 Commits

Reviewing files that changed from the base of the PR and between f775986 and 278b967.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• SECURITY.md

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.