Skip to content

[Issue]: Add CodeQL security analysis to PR validation workflow #89

New issue
New issue
Closed
#132
Closed
[Issue]: Add CodeQL security analysis to PR validation workflow#89
#132
Labels
needs-triageRequires triage and prioritization
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Nov 24, 2025

Issue Description

Add CodeQL security analysis to the PR validation workflow to achieve parity with the hve-ai-companion-guide repository's security practices.

Currently, hve-core runs CodeQL weekly via scheduled workflow and on push to main/develop branches, but does NOT run CodeQL on pull requests. The sister repository hve-ai-companion-guide includes CodeQL in its PR validation workflow, catching security issues earlier in the development cycle.

This enhancement will integrate the existing codeql-analysis.yml reusable workflow into pr-validation.yml, providing security scanning on every PR without duplicating configuration.

Additional Context

  • Research: Cross-repository analysis identified this gap during release management workflow review
  • Existing workflow: .github/workflows/codeql-analysis.yml (supports workflow_call)
  • Target file: .github/workflows/pr-validation.yml (add new job after dependency-pinning-check)
  • Implementation: 6-line job addition, follows existing patterns
  • Security: Uses minimal permissions (contents: read, security-events: write, actions: read)

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageRequires triage and prioritization

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions