chore: add codeQL to CI

[dpgaspar]

SUMMARY

Add codeQL to our CI workflow.

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts.

Main docs: https://docs.github.com/en/code-security

Will perform python code scanning when:

• A PR is merged to master
• A PR is opened -> Results for the PR are available to everyone as annotations
• Daily at 04:00am -> Results are only available to repo writers

For Pull requests:
If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve code scanning alerts for that repository.

Heres an example from a test PR:

List of common weakness detection: https://codeql.github.com/codeql-query-help/python-cwe/

This will work as a trial, if may be proven unproductive to have codeQL enabled for every PR. So disabling for PR's or further tweaking will probably be needed.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[rusackas]

Nonblocking question about gradually widening the scope of the tooling, but I love this!

[rusackas]

Would it make sense to widen this to the whole codebase? maybe in a subsequent PR, once we've gotten the first part under control?

[dpgaspar]

it would, javascript and typescript are supported. let's give it a ride first on the backend