ci: add CodeQL for static analysis

[JoshMock]

Adds CodeQL static analysis of code to help enforce some of our command guidelines, namely:

• always use a factory
• never print to stdout from a handler

With room to expand into more rules later.

This also adds GitHub's default rule bundles for validating security best practices for various languages, in our case TypeScript and GitHub actions.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.25s
✅ COPYPASTE	jscpd	yes		no	no	9.29s
✅ REPOSITORY	gitleaks	yes		no	no	60.5s
✅ REPOSITORY	git_diff	yes		no	no	0.68s
✅ REPOSITORY	secretlint	yes		no	no	31.57s
✅ REPOSITORY	trivy	yes		no	no	20.52s
✅ YAML	yamllint	3		0	0	0.69s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository