Context
CodeQL is GitHub's static-analysis security scanner. Free for public repos. It catches common vulnerability patterns (XSS sinks, injection, prototype pollution, unsafe `eval`) that ESLint and `svelte-check` don't flag.
For a Tauri app this is especially relevant — the JS frontend talks to Rust over IPC, and any unvalidated string flowing from frontend → `invoke()` → Rust handler is a potential exploit path.
Action
Add `.github/workflows/codeql.yml`:
- Languages: `javascript-typescript` (covers .ts, .svelte). Optionally also `rust` if it works for the project's structure.
- Schedule: weekly + on push to main + on PRs to main.
- Queries: default `security-and-quality` pack.
Use the GitHub-suggested template: https://github.com/stultus/scriptty/security/code-scanning
Findings appear in the Security tab and as PR annotations.
Context
CodeQL is GitHub's static-analysis security scanner. Free for public repos. It catches common vulnerability patterns (XSS sinks, injection, prototype pollution, unsafe `eval`) that ESLint and `svelte-check` don't flag.
For a Tauri app this is especially relevant — the JS frontend talks to Rust over IPC, and any unvalidated string flowing from frontend → `invoke()` → Rust handler is a potential exploit path.
Action
Add `.github/workflows/codeql.yml`:
Use the GitHub-suggested template: https://github.com/stultus/scriptty/security/code-scanning
Findings appear in the Security tab and as PR annotations.