PROGRESS :
Ran few more set of final tests and finally we have decided to use CodeQl as the scanner for the new plugin publish pipeline.
I changed the scanning workflow and code to support CodeQl with custom sets of rules specifically defined using the Threat Model I have been working on. All the rules are written and implemented and the scanning workflow is running flawlessly for now.
Worked on the 2nd half of the generator-joplin update and made it ready for another pr.
Also, experimented what changes can we make in plugin-repo-cli package to add the new logic in it without affecting any of the older workflow for testing.
Pr merged :
Next Week Scope
Manually verifying each of the custom written rules for CodeQl so we can reduce noise and add each and every possible alternate ways, so no one can possibly exploit the rules.
Raise pr 2 and get it merged. Prepare all the other branches for merge so that we don't remain short on time and would get enough time to end test the whole working model on real plugins.