I think we should improve our repository's infrastructure security by implementing automated Static Application Security Testing (SAST) on our core Rust engine code using GitHub's official CodeQL.

Currently, our .github/workflows/security_audit.yml runs rustsec/audit-check. While this is an excellent tool, it strictly checks our Cargo.lock file for known vulnerable library dependencies from the RustSec Advisory Database. We currently do not have any CI automation natively scanning our actual written Rust logic for underlying software vulnerabilities.

We can fix this by introducing a new .github/workflows/codeql.yml workflow implementing GitHub's native github/codeql-action/analyze.

Because CodeQL officially supports the Rust programming language, enabling it will allow GitHub to automatically analyze boa's codebase for deeply-nested logical security bugs (such as out-of-bounds writes, memory leaks, or execution flaws) on every push to main and on newly opened Pull Requests. Securing our core logic like this before code merges is an absolute best practice!