feat: initial codeql setup (#1390)

.github/codeql/README.md

@@ -0,0 +1,49 @@
+# CodeQL Security Analysis for Unraid API
+
+This directory contains custom CodeQL queries and configurations for security analysis of the Unraid API codebase.
+
+## Overview
+
+The analysis is configured to run:
+- On all pushes to the main branch
+- On all pull requests
+- Weekly via scheduled runs
+
+## Custom Queries
+
+The following custom queries are implemented:
+
+1. **API Authorization Bypass Detection**  
+   Identifies API handlers that may not properly check authorization before performing operations.
+
+2. **GraphQL Injection Detection**  
+   Detects potential injection vulnerabilities in GraphQL queries and operations.
+
+3. **Hardcoded Secrets Detection**  
+   Finds potential hardcoded secrets or credentials in the codebase.
+
+4. **Insecure Cryptographic Implementations**  
+   Identifies usage of weak cryptographic algorithms or insecure random number generation.
+
+5. **Path Traversal Vulnerability Detection**  
+   Detects potential path traversal vulnerabilities in file system operations.
+
+## Configuration
+
+The CodeQL analysis is configured in:
+- `.github/workflows/codeql-analysis.yml` - Workflow configuration
+- `.github/codeql/codeql-config.yml` - CodeQL engine configuration
+
+## Running Locally
+
+To run these queries locally:
+
+1. Install the CodeQL CLI: https://github.com/github/codeql-cli-binaries/releases
+2. Create a CodeQL database:
+   ```
+   codeql database create <db-name> --language=javascript --source-root=.
+   ```
+3. Run a query:
+   ```
+   codeql query run .github/codeql/custom-queries/javascript/api-auth-bypass.ql --database=<db-name>
+   ```