chore: add local CodeQL infrastructure and summary reporting

Author: novatechflow

scripts/codeql_js_build.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# Scalytics Copilot - Local CodeQL Build Script for JS/TS
+set -euo pipefail
+
+# In a real build, we might run npm install or similar.
+# For CodeQL database creation, we just need to ensure the environment is sane.
+echo "Preparing JS/TS build for CodeQL..."
+npm install --no-package-lock --no-save
+cd frontend && npm install --no-package-lock --no-save && cd ..
+echo "JS/TS build preparation complete."

scripts/codeql_local.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+# Scalytics Copilot - Local CodeQL Execution Script
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+if ! command -v codeql >/dev/null 2>&1; then
+  echo "ERROR: codeql CLI not found in PATH"
+  echo "Install from: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli"
+  exit 1
+fi
+
+mkdir -p .tmp/codeql
+
+echo "==> Ensuring CodeQL standard query packs are available"
+codeql pack download codeql/javascript-queries codeql/python-queries codeql/actions-queries
+
+# Stable defaults for local runs.
+CODEQL_JS_RAM_MB="${CODEQL_JS_RAM_MB:-6144}"
+CODEQL_JS_THREADS="${CODEQL_JS_THREADS:-2}"
+CODEQL_PY_RAM_MB="${CODEQL_PY_RAM_MB:-4096}"
+CODEQL_ACTIONS_RAM_MB="${CODEQL_ACTIONS_RAM_MB:-1024}"
+
+# Strategy github/security-and-quality
+CODEQL_QUERY_STRATEGY="${CODEQL_QUERY_STRATEGY:-github}"
+
+run_js() {
+  echo "==> CodeQL (JavaScript/TypeScript)"
+  echo "    using --ram=${CODEQL_JS_RAM_MB}MB --threads=${CODEQL_JS_THREADS}"
+  rm -rf .tmp/codeql/js-db
+  chmod +x scripts/codeql_js_build.sh
+  codeql database create .tmp/codeql/js-db 
+    --language=javascript-typescript 
+    --ram="$CODEQL_JS_RAM_MB" 
+    --command="./scripts/codeql_js_build.sh"
+
+  if [[ "$CODEQL_QUERY_STRATEGY" == "security-and-quality" ]]; then
+    codeql database analyze .tmp/codeql/js-db 
+      codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls 
+      --download 
+      --ram="$CODEQL_JS_RAM_MB" 
+      --threads="$CODEQL_JS_THREADS" 
+      --format=sarifv2.1.0 
+      --sarif-category="/language:javascript-typescript" 
+      --output .tmp/codeql/javascript.sarif
+  else
+    codeql database analyze .tmp/codeql/js-db 
+      codeql/javascript-queries 
+      --download 
+      --ram="$CODEQL_JS_RAM_MB" 
+      --threads="$CODEQL_JS_THREADS" 
+      --format=sarifv2.1.0 
+      --sarif-category="/language:javascript-typescript" 
+      --output .tmp/codeql/javascript.sarif
+  fi
+}
+
+run_py() {
+  echo "==> CodeQL (Python)"
+  echo "    using --ram=${CODEQL_PY_RAM_MB}MB"
+  rm -rf .tmp/codeql/py-db
+  chmod +x scripts/codeql_py_build.sh
+  codeql database create .tmp/codeql/py-db 
+    --language=python 
+    --ram="$CODEQL_PY_RAM_MB" 
+    --command="./scripts/codeql_py_build.sh"
+
+  if [[ "$CODEQL_QUERY_STRATEGY" == "security-and-quality" ]]; then
+    codeql database analyze .tmp/codeql/py-db 
+      codeql/python-queries:codeql-suites/python-security-and-quality.qls 
+      --download 
+      --ram="$CODEQL_PY_RAM_MB" 
+      --format=sarifv2.1.0 
+      --sarif-category="/language:python" 
+      --output .tmp/codeql/python.sarif
+  else
+    codeql database analyze .tmp/codeql/py-db 
+      codeql/python-queries 
+      --download 
+      --ram="$CODEQL_PY_RAM_MB" 
+      --format=sarifv2.1.0 
+      --sarif-category="/language:python" 
+      --output .tmp/codeql/python.sarif
+  fi
+}
+
+run_actions() {
+  echo "==> CodeQL (Actions)"
+  echo "    using --ram=${CODEQL_ACTIONS_RAM_MB}MB"
+  rm -rf .tmp/codeql/actions-db
+  codeql database create .tmp/codeql/actions-db 
+    --language=actions 
+    --build-mode=none 
+    --ram="$CODEQL_ACTIONS_RAM_MB"
+
+  codeql database analyze .tmp/codeql/actions-db 
+    codeql/actions-queries 
+    --download 
+    --ram="$CODEQL_ACTIONS_RAM_MB" 
+    --format=sarifv2.1.0 
+    --sarif-category="/language:actions" 
+    --output .tmp/codeql/actions.sarif
+}
+
+# Run for all project languages
+run_js
+run_py
+run_actions
+
+echo ""
+echo "CodeQL local run complete."
+echo "SARIF outputs:"
+echo "  .tmp/codeql/javascript.sarif"
+echo "  .tmp/codeql/python.sarif"
+echo "  .tmp/codeql/actions.sarif"

scripts/codeql_py_build.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Scalytics Copilot - Local CodeQL Build Script for Python
+set -euo pipefail
+
+echo "Preparing Python build for CodeQL..."
+# Python usually doesn't need a formal build step for CodeQL (build-mode=none),
+# but we can verify dependencies here if needed.
+pip install -r scripts/requirements.txt || echo "Optional requirements installation failed, continuing..."
+echo "Python build preparation complete."

scripts/codeql_summary.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+import json
+import glob
+import sys
+from collections import Counter
+
+class C:
+    RED = '\033[91m'
+    YEL = '\033[93m'
+    CYA = '\033[96m'
+    GRN = '\033[92m'
+    RST = '\033[0m'
+    BLD = '\033[1m'
+    DIM = '\033[2m'
+
+def summarize():
+    sarifs = sorted(glob.glob(".tmp/codeql/*.sarif"))
+    if not sarifs:
+        print(f"{C.YEL}No SARIF files found under .tmp/codeql/. Did local CodeQL run successfully?{C.RST}")
+        return
+
+    total_errors = 0
+    total_warnings = 0
+    
+    print(f"
+{C.BLD}=== Local CodeQL Findings Summary ==={C.RST}")
+
+    for path in sarifs:
+        filename = path.split('/')[-1]
+        with open(path, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        
+        file_errors = 0
+        file_warnings = 0
+        
+        for run in data.get("runs", []):
+            for result in (run.get("results") or []):
+                level = (result.get("level") or "warning").lower()
+                if level == "error":
+                    file_errors += 1
+                else:
+                    file_warnings += 1
+        
+        if file_errors > 0 or file_warnings > 0:
+            print(f"📄 {C.CYA}{filename}{C.RST}: {C.RED}{file_errors} Errors{C.RST}, {C.YEL}{file_warnings} Warnings{C.RST}")
+        
+        total_errors += file_errors
+        total_warnings += file_warnings
+
+    if total_errors > 0:
+        print(f"
+{C.RED}❌ CodeQL gate failed: {total_errors} blocking error(s) found.{C.RST}")
+        sys.exit(1)
+    
+    if total_warnings > 0:
+         print(f"
+{C.YEL}⚠️ CodeQL passed with {total_warnings} warnings (non-blocking).{C.RST}")
+    else:
+         print(f"
+{C.GRN}✅ CodeQL passed: no findings found.{C.RST}")
+
+if __name__ == "__main__":
+    summarize()

scripts/commit-check.sh

@@ -1,49 +1,60 @@
 #!/bin/bash
 # Scalytics Copilot - Local Commit Check Script
-# This script runs linting, security audits, and tests to ensure code quality.
+# This script runs linting, security audits, tests, and CodeQL to ensure code quality.
 
 set -e # Exit on any failure
 
 # Colors for output
 GREEN='\033[0;32m'
 RED='\033[0;31m'
 YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
 NC='\033[0m' # No Color
 
-echo -e "${YELLOW}🚀 Starting Scalytics Copilot Commit Check...${NC}
-"
+echo -e "${YELLOW}🚀 Starting Scalytics Copilot Commit Check...${NC}\n"
 
 # 1. Backend Checks
-echo -e "${GREEN}📦 [1/4] Checking Backend...${NC}"
+echo -e "${CYAN}📦 [1/5] Checking Backend...${NC}"
 npm run lint || { echo -e "${RED}❌ Backend Linting Failed${NC}"; exit 1; }
 npm test || { echo -e "${RED}❌ Backend Tests Failed${NC}"; exit 1; }
-echo -e "✅ Backend checks passed.
-"
+echo -e "✅ Backend checks passed.\n"
 
 # 2. Frontend Checks
-echo -e "${GREEN}🖼️ [2/4] Checking Frontend...${NC}"
+echo -e "${CYAN}🖼️ [2/5] Checking Frontend...${NC}"
 cd frontend
-npm run lint || { echo -e "${YELLOW}⚠️ Frontend Linting had warnings/errors (skipping exit)${NC}" ; }
+# Skip exit on frontend linting as it's often noisy in early stages
+npm run lint || { echo -e "${YELLOW}⚠️ Frontend Linting had warnings/errors${NC}" ; }
 CI=true npm test -- --passWithNoTests || { echo -e "${RED}❌ Frontend Tests Failed${NC}"; exit 1; }
 cd ..
-echo -e "✅ Frontend checks passed.
-"
+echo -e "✅ Frontend checks passed.\n"
 
 # 3. Python Checks (Sanity)
-echo -e "${GREEN}🐍 [3/4] Checking Python Services...${NC}"
+echo -e "${CYAN}🐍 [3/5] Checking Python Services...${NC}"
 if command -v python3 &> /dev/null; then
     python3 -m compileall scripts src/python_services > /dev/null
-    echo -e "✅ Python syntax check passed.
-"
+    echo -e "✅ Python syntax check passed.\n"
 else
-    echo -e "${YELLOW}⚠️ Python3 not found, skipping Python checks.${NC}
-"
+    echo -e "${YELLOW}⚠️ Python3 not found, skipping Python checks.${NC}\n"
 fi
 
 # 4. Security Audit
-echo -e "${GREEN}🛡️ [4/4] Running Security Audit...${NC}"
+echo -e "${CYAN}🛡️ [4/5] Running Security Audit...${NC}"
 npm audit --audit-level=high || { echo -e "${YELLOW}⚠️ High-level vulnerabilities found in dependencies. Please review with 'npm audit'.${NC}"; }
-echo -e "✅ Security audit complete.
-"
+echo -e "✅ Security audit complete.\n"
+
+# 5. Local CodeQL Analysis
+echo -e "${CYAN}🔍 [5/5] Running Local CodeQL Analysis...${NC}"
+if command -v codeql &> /dev/null; then
+    ./scripts/codeql_local.sh
+    # Use python script for summary and gating (if python3 is available)
+    if command -v python3 &> /dev/null; then
+        python3 scripts/codeql_summary.py
+    else
+        echo -e "${YELLOW}⚠️ python3 not found, skipping CodeQL summary report.${NC}"
+    fi
+else
+    echo -e "${YELLOW}⚠️ CodeQL CLI not found in PATH, skipping local deep analysis.${NC}"
+    echo -e "${YELLOW}   Install from: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli${NC}"
+fi
 
-echo -e "${GREEN}🎉 All checks passed! You are ready to commit.${NC}"
+echo -e "\n${GREEN}🎉 All checks passed! You are ready to commit.${NC}"