Add Codacy security scan workflow

[Smartappli]

This workflow integrates Codacy security scans with GitHub Advanced Security, checking code on push and pull requests to the master branch, and scheduling scans weekly.

Summary by CodeRabbit

• Chores
  • Added automated security scanning via Codacy to detect and report potential code vulnerabilities in the codebase.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Walkthrough

Introduces a new GitHub Actions workflow for Codacy security scanning. Runs on master push/pull request events and a scheduled cron. Checks out the repository, executes Codacy analysis CLI with a project token, generates SARIF output, and uploads results to GitHub Advanced Security.

Changes

Cohort / File(s)	Summary
Codacy Security Scanning Workflow .github/workflows/codacy.yml	New GitHub Actions workflow that triggers Codacy static analysis on master commits and pull requests, plus scheduled execution. Configures verbose scanning with SARIF output format and high max-allowed-issues threshold to ensure SARIF generation. Uploads security results to GitHub's Advanced Security dashboard.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow takes shape, secure and bright,
Codacy scans code both day and night,
SARIF results flow to GitHub's keep,
While our project's safety runs deep! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add Codacy security scan workflow' directly and clearly summarizes the main change: introduction of a new GitHub Actions workflow for Codacy security scanning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Smartappli-patch-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2e1dc872e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Target the active default branch for workflow triggers

This workflow only runs for push/pull_request on master, but this repository currently has main (and no master) as an active branch, so the scan will never run on normal PRs or pushes and only executes on the weekly cron. That means new security findings won’t be surfaced during code review, which defeats the intended PR-time protection.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codacy.yml:
- Line 39: Change the mutable action tags to immutable commit SHAs: replace the
literal "uses: actions/checkout@v4" and the other "uses: ...@v3" entry
referenced in the file with their corresponding full commit SHA pins (the same
pattern used for the Codacy action on line 43), fetching the canonical commit
SHAs from the official GitHub Action repos and updating both uses: lines so the
workflow references fixed commits rather than version tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 02f7f09d-a2bf-4eaa-b0fa-b8f306a0107a

📥 Commits

Reviewing files that changed from the base of the PR and between f302ca4 and 2e1dc87.

📒 Files selected for processing (1)

• .github/workflows/codacy.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflows still using mutable action tags instead of full SHAs
rg -nP '^\s*uses:\s*[^@\s]+@v[0-9]+(\.[0-9]+)?\s*$' .github/workflows

Repository: Smartappli/AIMER

Length of output: 3349

---

🏁 Script executed:

cat -n .github/workflows/codacy.yml

Repository: Smartappli/AIMER

Length of output: 2951

---

Pin all uses: actions to immutable commit SHAs.

Lines 39 and 59 use mutable version tags (@v4 and @v3), leaving a supply-chain window if tags are moved upstream. Pin to full commit SHAs as you already did on line 43 with the Codacy action.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codacy.yml at line 39, Change the mutable action tags to
immutable commit SHAs: replace the literal "uses: actions/checkout@v4" and the
other "uses: ...@v3" entry referenced in the file with their corresponding full
commit SHA pins (the same pattern used for the Codacy action on line 43),
fetching the canonical commit SHAs from the official GitHub Action repos and
updating both uses: lines so the workflow references fixed commits rather than
version tags.