Update codeql.yml to automatically create new CodeQL issues

.github/workflows/codeql.yml

@@ -75,4 +75,78 @@ jobs:
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"
+
+    - name: Check for CodeQL alerts
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+
+          // Get a list of open CodeQL alerts
+          const response = await fetch(`https://api.github.com/repos/${context.repo.owner}/${context.repo.repo}/code-scanning/alerts?state=active`, {
+            headers: {
+              Authorization: `token ${{secrets.GITHUB_TOKEN}}`
+            }
+          });
+
+          if (!response.ok) {
+            throw new Error(`Failed to fetch alerts: ${response.status} - ${response.statusText}`);
+          }
+
+          const alerts = await response.json();
+
+          // Check if there are any alerts
+          if (alerts.length > 0) {
+            for (const alert of alerts) {
+              const alertId = alert.number;
+
+              // Check if there is an existing tracking issue for the alert
+              const searchResponse = await fetch(`https://api.github.com/search/issues?q=repo:${context.repo.owner}/${context.repo.repo}+state:open+${encodeURIComponent(`"${alertId}"`)}+in:title`, {
+                headers: {
+                  Authorization: `token ${{secrets.GITHUB_TOKEN}}`
+                }
+              });
+
+              if (!searchResponse.ok) {
+                throw new Error(`Failed to search for issues: ${searchResponse.status} - ${searchResponse.statusText}`);
+              }
+
+              const searchResult = await searchResponse.json();
+
+              if (searchResult.items.length === 0) {
+                const issueTitle = `Resolve CodeQL query #${alertId} - generated by GHA`;
+
+                // Read the template file
+                const issueBodyTemplatePath = 'github-actions/trigger-issue/create-codeql-issues/issue-body.md';
+                let issueBodyTemplate = fs.readFileSync(issueBodyTemplatePath, 'utf8');
+
+                // Replace placeholders with actual values
+                issueBodyTemplate = issueBodyTemplate.replace(/\${alertId}/g, alertId);
+
+                // Use the modified content as the issue body
+                const issueBody = issueBodyTemplate;
+
+                // Create a new issue
+                const createIssueResponse = await fetch(`https://api.github.com/repos/${context.repo.owner}/${context.repo.repo}/issues`, {
+                  method: 'POST',
+                  headers: {
+                    Authorization: `token ${{secrets.GITHUB_TOKEN}}`,
+                    'Content-Type': 'application/json'
+                  },
+                  body: JSON.stringify({
+                    title: issueTitle,
+                    body: issueBody,
+                    labels: ['ready for dev lead']
+                  })
+                });
+
+                /*
+                if (!createIssueResponse.ok) {
+                  throw new Error(`Failed to create issue for alert ${alertId}: ${createIssueResponse.status} - ${createIssueResponse.statusText}`);
+                }
+                */
+              }
+            }
+          }
+

github-actions/trigger-issue/create-codeql-issues/issue-body.md

@@ -0,0 +1,25 @@
+### Prerequisite
+
+1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
+2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).
+
+### Overview
+We need to resolve the new alert [(${alertId})](https://github.com/hackforla/website/security/code-scanning/${alertId}) and either recommend dismissal of the alert or update the code files to resolve the alert.
+
+### Action Items
+- [ ] The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert: https://github.com/hackforla/website/security/code-scanning/${alertId}
+- [ ] In a comment in this issue, add your analysis and recommendations.  The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`.  An example of a `false positive` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`
+- [ ] **If the recommendation is to dismiss the alert:**
+  - [ ] Apply the label `ready for dev lead` 
+  - [ ] Move the issue to `Questions/In Review`
+- [ ] **If the recommendation is to update code:**
+  - [ ] Create an issue branch and proceed with the code update
+  - [ ] Test using docker to ensure that there are no changes to any affected webpage(s)
+  - [ ] Proceed with pull request in the usual manner
+
+### Resources/Instructions
+- [HfLA website: CodeQL scan alert audits - issue 5005](https://docs.google.com/spreadsheets/d/1B3R-fI8OW0LcYuwZICQZ2fB8sjlE3VsfyGIXoReNBIs/edit#gid=193401043)
+- [Code scanning results page](https://github.com/hackforla/website/security/code-scanning)
+- [CodeQL query help for JavaScript](https://codeql.github.com/codeql-query-help/javascript/)
+
+This issue was automatically generated from the codeql.yml workflow