Add CodeQL SAST + Scorecard + badges + LICENSE in archives

Author: DeusData

.github/workflows/codeql.yml

@@ -0,0 +1,28 @@
+name: CodeQL SAST
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
+        with:
+          languages: c-cpp
+          build-mode: none
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
+        with:
+          category: "/language:c-cpp"

.github/workflows/dry-run.yml

@@ -75,6 +75,26 @@ jobs:
       - name: "Layer 8: Vendored dependency integrity"
         run: scripts/security-vendored.sh
 
+  # ── Step 1c: CodeQL SAST gate (checks for open alerts) ──────
+  # CodeQL runs on push/PR via codeql.yml. This gate checks if
+  # there are any open critical/high code scanning alerts.
+  codeql-gate:
+    if: ${{ !inputs.skip_lint }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for open code scanning alerts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ALERTS=$(gh api repos/${{ github.repository }}/code-scanning/alerts?state=open --jq 'length' 2>/dev/null || echo "0")
+          echo "Open code scanning alerts: $ALERTS"
+          if [ "$ALERTS" -gt 0 ]; then
+            echo "BLOCKED: $ALERTS open code scanning alert(s) found."
+            echo "Fix them before releasing: https://github.com/${{ github.repository }}/security/code-scanning"
+            exit 1
+          fi
+          echo "=== CodeQL gate passed (0 open alerts) ==="
+
   # ── Step 2: Unit tests (ASan + UBSan) ───────────────────────
   # macOS: use cc (Apple Clang) — GCC on macOS doesn't ship ASan runtime
   # Linux: use system gcc — full ASan/UBSan support

.github/workflows/release.yml

@@ -76,6 +76,23 @@ jobs:
       - name: "Layer 8: Vendored dependency integrity"
         run: scripts/security-vendored.sh
 
+  # ── Step 1c: CodeQL SAST gate (checks for open alerts) ──────
+  codeql-gate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for open code scanning alerts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ALERTS=$(gh api repos/${{ github.repository }}/code-scanning/alerts?state=open --jq 'length' 2>/dev/null || echo "0")
+          echo "Open code scanning alerts: $ALERTS"
+          if [ "$ALERTS" -gt 0 ]; then
+            echo "BLOCKED: $ALERTS open code scanning alert(s) found."
+            echo "Fix them before releasing: https://github.com/${{ github.repository }}/security/code-scanning"
+            exit 1
+          fi
+          echo "=== CodeQL gate passed (0 open alerts) ==="
+
   # ── Step 2: Unit tests (ASan + UBSan) ───────────────────────
   # macOS: use cc (Apple Clang) — GCC on macOS doesn't ship ASan runtime
   # Linux: use system gcc — full ASan/UBSan support
@@ -391,7 +408,7 @@ jobs:
 
   # ── Step 5: Create DRAFT release (not public yet) ─────────────
   release-draft:
-    needs: [smoke-unix, smoke-windows, security-static]
+    needs: [smoke-unix, smoke-windows, security-static, codeql-gate]
     runs-on: ubuntu-latest
     permissions:
       contents: write

README.md

@@ -1,5 +1,15 @@
 # codebase-memory-mcp
 
+[![GitHub Release](https://img.shields.io/github/v/release/DeusData/codebase-memory-mcp?style=flat&color=blue)](https://github.com/DeusData/codebase-memory-mcp/releases/latest)
+[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)
+[![CI](https://img.shields.io/github/actions/workflow/status/DeusData/codebase-memory-mcp/dry-run.yml?label=CI)](https://github.com/DeusData/codebase-memory-mcp/actions/workflows/dry-run.yml)
+[![Tests](https://img.shields.io/badge/tests-2042_passing-brightgreen)](https://github.com/DeusData/codebase-memory-mcp)
+[![Languages](https://img.shields.io/badge/languages-64-orange)](https://github.com/DeusData/codebase-memory-mcp)
+[![Agents](https://img.shields.io/badge/agents-10-purple)](https://github.com/DeusData/codebase-memory-mcp)
+[![Pure C](https://img.shields.io/badge/pure_C-zero_dependencies-blue)](https://github.com/DeusData/codebase-memory-mcp)
+[![Platform](https://img.shields.io/badge/macOS_%7C_Linux_%7C_Windows-supported-lightgrey)](https://github.com/DeusData/codebase-memory-mcp/releases/latest)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/DeusData/codebase-memory-mcp/badge)](https://scorecard.dev/viewer/?uri=github.com/DeusData/codebase-memory-mcp)
+
 **The fastest and most efficient code intelligence engine for AI coding agents.** Full-indexes an average repository in milliseconds, the Linux kernel (28M LOC, 75K files) in 3 minutes. Answers structural queries in under 1ms. Ships as a single static binary for macOS, Linux, and Windows — download, run `install`, done.
 
 High-quality parsing through [tree-sitter](https://tree-sitter.github.io/tree-sitter/) AST analysis across all 64 languages, enhanced with LSP-style hybrid type resolution for Go, C, and C++ (more languages coming soon) — producing a persistent knowledge graph of functions, classes, call chains, HTTP routes, and cross-service links. 14 MCP tools. Zero dependencies. Plug and play across 10 coding agents.

SECURITY.md

@@ -28,6 +28,7 @@ This project implements multiple layers of security verification. Every release
 - **All dangerous function calls** require a reviewed entry in `scripts/security-allowlist.txt`
 - **Time-bomb pattern detection** — scans for `time()`/`sleep()` near dangerous calls (could indicate delayed activation)
 - **MCP tool handler file read audit** — tracks file read count in `mcp.c` against an expected maximum (detects added file reads that could exfiltrate data through tool responses)
+- **CodeQL SAST** — static application security testing on every push (taint analysis, CWE detection, data flow tracking). Any open alert blocks the release.
 - **Native antivirus scanning** on every platform (any detection fails the build):
   - **Windows**: Windows Defender with ML heuristics — the same engine end users run
   - **Linux**: ClamAV with daily signature updates