actionlint missing findings reported by CodeQL on GitHub Actions workflow configurations

[aep-sunlife]

actionlint findings should be a superset of the findings presented by CodeQL on GitHub Actions workflow configurations.

Today, GitHub's CodeQL SAST system often reports more, and different warnings than actionlint.

That discrepancy is strange, and many users may end up dropping actionlint in favor of purely CodeQL, as one way to resolve the data conflict.

[ulgens]

In my personal experience and research, CodeQL is not exactly a trusted source to use as a base for another toolset. Their rulesets seem arbitrary and poorly integrated with other similar rulesets and tools. I believe the situation is at least a bit better for Actions, but still, I wouldn't recommend it.

I tried to find a documentation/list for GHA related CodeQL rules but it seems there is nothing under https://docs.github.com/en/code-security/reference/code-quality/codeql-queries

[julianladisch]

See https://github.com/github/codeql/tree/main/actions/ql/src for GHA related CodeQL rules.