Add code scanning

[damianhxy]

Set up GitHub code scanning alerts for ruby and javascript, and address some issues that were highlighted.

Description

Create codeql-analysis.yml via GitHub web interface (Security > Code scanning alerts).

Escape period in regex for url to address issues 1 and 2 of the code scanning alerts.

Motivation and Context

This would assist in the detection of vulnerabilities, especially when new Pull Requests are made.

How Has This Been Tested?

Verified that modified regex still matches string /afs/cs.cmu.edu/academic/autolab/autolab2/courses, but this time with no false positives.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have run rubocop for style check. If you haven't, run overcommit --install && overcommit --sign to use pre-commit hook for linting
• My change requires a change to the documentation, which is located at Autolab Docs
• I have updated the documentation accordingly, included in this PR

[fanpu]

Am I right to say that the CodeQL config addition and the regex changes are independent of one another? In that case, the regex change would be better off in another PR so that this PR is only focused on adding the CodeQL config.

Is the codeql-analysis.yml the default one that was generated?

Otherwise it seems like the code scanning is working as expected based on the Code scanning alerts page on Github, thank you for improving our CI pipeline!

[damianhxy]

Am I right to say that the CodeQL config addition and the regex changes are independent of one another? In that case, the regex change would be better off in another PR so that this PR is only focused on adding the CodeQL config.

The regex changes are in response to two code scanning alerts (nos. 1 and 2) arising from this initial scan. However, I can shift the regex change to another PR.

Is the codeql-analysis.yml the default one that was generated?

Yup! Other than the languages matrix which I changed to [ 'javascript', 'ruby' ] as (iirc) the default file's language matrix contained extraneous languages such as java.

[fanpu]

Thanks for the clarifications, when I went to https://github.com/autolab/Autolab/security/code-scanning I didn't see anything other than this PR passing the tests so I didn't realize. What you have is perfect then, just make a note in the description that the changes were to address issues that were flagged.