1 files changed, 121 insertions, 0 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000000..a92c93b476
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,121 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['master']
+    paths-ignore:
+      - 'doc/**'
+      - '**/man/*'
+      - '**.md'
+      - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
+  pull_request:
+    paths-ignore:
+      - 'doc/**'
+      - '**/man/*'
+      - '**.md'
+      - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
+  schedule:
+    - cron: '0 12 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
+  cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
+
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/autobuild to send a status report
+    # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
+    if: >-
+      ${{!(false
+      || contains(github.event.head_commit.message, '[DOC]')
+      || contains(github.event.pull_request.title, '[DOC]')
+      || contains(github.event.pull_request.labels.*.name, 'Documentation')
+      || (github.event_name == 'push' && github.event.pull_request.user.login == 'dependabot[bot]')
+      )}}
+
+    env:
+      enable_install_doc: no
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: cpp
+          - language: ruby
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Install libraries
+        if: ${{ contains(matrix.os, 'macos') }}
+        uses: ./.github/actions/setup/macos
+
+      - name: Install libraries
+        if : ${{ matrix.os == 'ubuntu-latest' }}
+        uses: ./.github/actions/setup/ubuntu
+
+      - uses: ./.github/actions/setup/directories
+
+      - name: Remove an obsolete rubygems vendored file
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          languages: ${{ matrix.language }}
+          trap-caching: false
+          debug: true
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          category: '/language:${{ matrix.language }}'
+          upload: False
+          output: sarif-results
+
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
+        with:
+          patterns: |
+            +**/*.rb
+            -lib/uri/mailto.rb:rb/overly-large-range
+            -lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -test/ruby/test_io.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+        if: ${{ matrix.language == 'ruby' }}
+        continue-on-error: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}.sarif
+        continue-on-error: true