chore: add .github/workflows/codeql-analysis.yml from MokoStandards

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,115 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# This file is part of a Moko Consulting project.
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: GitHub.Workflow.Template
+# INGROUP: MokoStandards.Security
+# REPO: https://github.com/mokoconsulting-tech/MokoStandards
+# PATH: /templates/workflows/generic/codeql-analysis.yml
+# VERSION: 04.00.15
+# BRIEF: CodeQL security scanning workflow (generic — all repo types)
+# NOTE: Deployed to .github/workflows/codeql-analysis.yml in governed repos.
+#       CodeQL does not support PHP directly; JavaScript scans JSON/YAML/shell.
+#       For PHP-specific security scanning see standards-compliance.yml.
+
+name: CodeQL Security Scanning
+
+on:
+  push:
+    branches:
+      - main
+      - dev/**
+      - rc/**
+      - version/**
+  pull_request:
+    branches:
+      - main
+      - dev/**
+      - rc/**
+  schedule:
+    # Weekly on Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  pull-requests: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL does not support PHP. Use 'javascript' to scan JSON, YAML,
+        # and shell scripts. Add 'actions' to scan GitHub Actions workflows.
+        language: ['javascript', 'actions']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          upload: true
+          output: sarif-results
+          wait-for-processing: true
+
+      - name: Upload SARIF results
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.5.0
+        with:
+          name: codeql-results-${{ matrix.language }}
+          path: sarif-results
+          retention-days: 30
+
+      - name: Step summary
+        if: always()
+        run: |
+          echo "### 🔍 CodeQL — ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          URL="https://github.com/${{ github.repository }}/security/code-scanning"
+          echo "See the [Security tab]($URL) for findings." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Severity | SLA |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|-----|" >> $GITHUB_STEP_SUMMARY
+          echo "| Critical | 7 days |" >> $GITHUB_STEP_SUMMARY
+          echo "| High     | 14 days |" >> $GITHUB_STEP_SUMMARY
+          echo "| Medium   | 30 days |" >> $GITHUB_STEP_SUMMARY
+          echo "| Low      | 60 days / next release |" >> $GITHUB_STEP_SUMMARY
+
+  summary:
+    name: Security Scan Summary
+    runs-on: ubuntu-latest
+    needs: analyze
+    if: always()
+
+    steps:
+      - name: Summary
+        run: |
+          echo "### 🛡️ CodeQL Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
+          SECURITY_URL="https://github.com/${{ github.repository }}/security"
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "📊 [View all security alerts]($SECURITY_URL)" >> $GITHUB_STEP_SUMMARY