CodeQL Config Update

.github/codeql/codeql-config.yml

@@ -0,0 +1,5 @@
+
+name: "CodeQL config"
+
+queries:
+  - uses: security-and-quality

.github/pull_request_template.md

@@ -0,0 +1,23 @@
+## Review: Security Validations checklist
+**The following items must be checked before merging to the Master branch**
+**For any exceptions contact the Security Team**
+
+- [ ] **Secrets are not hardcoded or stored in the code** (e.g. Passwords, AWS access keys, tokens, connection strings, SSH Keys, PGP Keys, etc)
+- [ ] **All API endpoints verify the identity of the user and don't allow cross-user access**
+- [ ] **All input parameters are validated and/or sanitized** (including form fields, query strings, cookies, and HTTP headers).
+- [ ] **API response data is sanitized**, returned based on access control and only what is needed.
+- [ ] **Sensitive information is not being transmitted in an unencrypted or unsecured manner (api, files)**
+- [ ] **Sensitive data is not passed in query strings or URL.** URL data is sanitized, validated and use with care.
+- [ ] **All relevant user / system actions are properly logged**. Errors, failures and issues (e.g. missing data, bad data) are logged.
+- [ ] **New libraries and packages have been reviewed and approved by the security team**
+- [ ] **New HTTP headers have been reviewed and approved by the security team**
+- [ ] **Any changes to the structure or content type of cookies have been reviewed and approved by the security team**
+- [ ] **iFrames, redirects, domain or subdomain usage were reviewed and approved by the security team**
+- [ ] **Access to system level resources is restricted. There is no shell execution.**
+
+
+## NOTE: examples and guidelines please see
+
+[FrontEnd Guidelines](https://github.com/bluevine-dev/bv_security/wiki/Security-Validations-Checklist-FrontEnd-Guidelines)
+
+[BackEnd Guidelines](https://github.com/bluevine-dev/bv_security/wiki/Security-Validations-Checklist-BackEnd-Guidelines)

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,52 @@
+name: "CodeQL"
+
+on:
+  schedule:
+    - cron: '0 3 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      # Override language selection by uncommenting this and choosing your languages
+      # with:
+      #   languages: go, javascript, csharp, python, cpp, java
+      with:
+      #   languages: go, javascript, csharp, python, cpp, java
+        config-file: ./.github/codeql/codeql-config.yml
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1