Tier 2: Set up SAST with CodeQL or Semgrep

## Context

As identified in the Risk Radar Assessment, both modules (`scripts` and `website`) are **Tier 2** and require Tier 2 extended assurance measures.

## Measure: SAST (Static Application Security Testing)

**Type:** Deterministic  
**Status:** ❌ Missing  
**Required for:** Tier 2 — Extended Assurance

## What to implement

**Option 1: GitHub CodeQL (Recommended)**

1. Create `.github/workflows/codeql.yml`
2. Configure for JavaScript analysis
3. Run on PRs and weekly schedule

**Option 2: Semgrep**

1. Create `.github/workflows/semgrep.yml`
2. Sign up for Semgrep Cloud (free for open source)
3. Configure Semgrep rules

## Reference

- [Risk Radar Documentation](https://llm-coding.github.io/vibe-coding-risk-radar/)
- [Tier 2 Mitigations](https://llm-coding.github.io/vibe-coding-risk-radar/tiers/tier-2/)

## Acceptance Criteria

- [ ] SAST tool configured (CodeQL or Semgrep)
- [ ] Runs on every PR and push to main
- [ ] Security findings are reported in GitHub Security tab
- [ ] No high-severity issues in current codebase

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tier 2: Set up SAST with CodeQL or Semgrep #84

Context

Measure: SAST (Static Application Security Testing)

What to implement

Reference

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Tier 2: Set up SAST with CodeQL or Semgrep #84

Description

Context

Measure: SAST (Static Application Security Testing)

What to implement

Reference

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions