fix: missing config-file for github action scanning (#5376)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

On-behalf-of: Gergely Brautigam <gergely.brautigam@sap.com>

Co-authored-by: Jakob Möller <jakob.moeller@sap.com>

.github/config/codeql-config.yaml

@@ -0,0 +1,88 @@
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
+disable-default-queries: true
+
+packs:
+  # All queries from the CodeQL Built in packs (including low/no precision queries)
+  - codeql/actions-queries:.
+  - codeql/go-queries:.
+  ### GitHub Security Lab###
+  # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
+  - githubsecuritylab/codeql-go-queries
+  - trailofbits/go-queries
+
+# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
+# - precision ( low + Low or EXCLUDED precision)
+# + problem.severity: recommendation
+# - restriction of no experimental folder
+# - restriction of audit/debugging queries from community packs
+query-filters:
+  - include:
+      kind:
+        - problem
+        - path-problem
+      tags contain:
+        - security
+  - include:
+      kind:
+        - diagnostic
+  - include:
+      kind:
+        - metric
+      tags contain:
+        - summary
+  - exclude:
+      deprecated: //
+  - exclude:
+      query path:
+        # REMOVE exclude - OK even if they exist in experimental folder
+        #- /^experimental\/.*/
+        - Metrics/Summaries/FrameworkCoverage.ql
+        - /Diagnostics/Internal/.*/
+  - exclude:
+      tags contain:
+        - modeleditor
+        - modelgenerator
+  # Exclude audit queries from the CodeQL Built in packs
+  - exclude:
+      id:
+        - go/untrusted-data-to-external-api
+
+  # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+  - exclude:
+      tags contain:
+        - debugging
+        - audit
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+  # Python
+  - "vendor/**"
+  - "examples/**"
+  - "tests/**"
+  - "test/**"
+  - "site-packages/**"
+
+  # JavaScript
+  - "node_modules"
+  - "**/*.test.js"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "dist"
+  - "CoverageResults"
+  - "**/wwwroot/lib/**"
+  - "**/deps/**"
+  - "**/third_party/**"
+  - "**/wp-includes/**"
+  - "**/wp-admin/**"
+
+  # Ruby
+  - "**/gems/**"
+  - "**/spec/**/*_spec.rb"
+  - "**/test/**/*_test.rb"
+

.github/workflows/codeql.yml

@@ -38,5 +38,6 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/config/codeql-config.yaml
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v3.29.5