Enable code scanning (CodeQL / Scorecard) for coverage parity

## Context

Linked from the [Daily Org Oversight Report — 2026-03-09](https://github.com/fro-bot/.github/issues/2968).

## Summary

\`fro-bot/fro-bot.github.io\` currently has **no code scanning analysis configured**. Other repos in the org (\`.github\`, \`agent\`) run both CodeQL and OpenSSF Scorecard scans.

## Recommended Actions

1. **Add a CodeQL workflow** — create \`.github/workflows/codeql.yml\` with analysis appropriate for the repo's language(s)
2. **Add a Scorecard workflow** — create \`.github/workflows/scorecard.yml\` to run OpenSSF Scorecard checks
3. Enable GitHub code scanning alerts in the repository security settings

This brings the repo into coverage parity with the rest of the org.

## References

- [GitHub CodeQL setup docs](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)
- [OpenSSF Scorecard GitHub Action](https://github.com/ossf/scorecard-action)

/cc @fro-bot


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable code scanning (CodeQL / Scorecard) for coverage parity #1

Context

Summary

Recommended Actions

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Enable code scanning (CodeQL / Scorecard) for coverage parity #1

Description

Context

Summary

Recommended Actions

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions