chore: introduce CodeQL scan

[AllanZhengYP]

Description of changes

The LGTM will stop running for new commits and PRs on 11/30/2022(blog post). This change is part of the effort to migrate the LGTM check to CodeQL workflow.

After introducing this workflow, the vulneribility alerts can be checked on the Security tab of the repo. Here is the example in the forked repo. The docs folder is excluded from the scanning scope as itself takes over 2 hrs to scan. We can setup a separate cron job to run scanning on the docs folder. This behavior corresponds to the current LGTM config.

By default, the PR check would fail if high or critical alert is detected. We can tune down the sensitivity to critical later if we find most of PRs are blocked with the code scanning config.

Issue #, if available

Description of how you validated changes

Validated the behavior in forked repo here.

Checklist

• PR description included
• yarn test passes
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-commenter]

Codecov Report

Merging #10725 (a7b7dc6) into main (b1562e7) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main   #10725   +/-   ##
=======================================
  Coverage   85.71%   85.71%           
=======================================
  Files         196      196           
  Lines       18335    18335           
  Branches     3900     3900           
=======================================
  Hits        15715    15715           
  Misses       2544     2544           
  Partials       76       76           

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[elorzafe]

Nit: I would remove the comments unless you feel strongly about having those there

[iartemiev]

LGTM 👍🏻