[testing] Switch to CodeQL from LGTM

LGTM is shutting down shortly, as it has been folded into GH CodeQL. As
such, we need to switch over to using CodeQL to maintain automatic code
analysis.

Do this by using the provided CodeQL workflow configuration, and add a
config file to limit the analysis to the appropriate `sos/` directory.

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>

2 files changed, 46 insertions, 0 deletions

diff --git a/.github/codeql/codeql-config.yaml b/.github/codeql/codeql-config.yaml
new file mode 100644
index 00000000..b950e71e
--- /dev/null
+++ b/.github/codeql/codeql-config.yaml
@@ -0,0 +1,4 @@
+name: "SoS CodeQL Config"
+
+paths:
+  - sos
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 00000000..ecd08caa
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,42 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: "49 12 * * 6"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ python ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: .github/codeql/codeql-config.yaml
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"