Enable a SAST Tool

[joycebrum]

Hi again, I'd like to suggest for the pypa/packaging to adopt a SAST Tool

SAST, or static code analysis, is a testing run on source code before the application run. It helps preventing known classes of bugs from being inadvertently introduced in the codebase.

Since pypa/packaging code is entirely in python, I believe the CodeQL would be the best SAST option. The CodeQL is a GitHub official tool that runs through GitHub Actions:

• on push to look for pre-existing errors. Its reports appears in the Security Dashboard.
• on pull-requests to look for new errors, bugs or vulnerabilities introduced. The reports will cause the action to fail and can be easily seen in the github interface (see Triaging code scanning alerts in pull requests for more details)

I'll be submitting a PR with the CodeQL configuration workflow since the default config worked 🎉

Let me know if you have any concerns.

Additional context

CodeQL Description:

CodeQL is the analysis engine used by developers to automate security checks, and by security researchers to perform variant analysis.

In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.