Hello,

I am with a group of researchers looking to improve security in open-source embedded software by using static analysis tools like CodeQL. We wrote up a report of our findings so far. The TL;DR is “CodeQL outperforms the other freely-available static analysis tools, with fairly low false positive rates and lots of real defects”. You can read about the report here: https://arxiv.org/abs/2310.00205

Currently, the CodeQL workflow in this repository performs an analysis, but I suggest making the following changes to the workflow:

• Upload CodeQL results to the Code Scanning under the Security tab for ease of use
• Upload CodeQL results as an artifact under the workflow
• Allow for rule filtering which may remove rules that result in too many false positives

I can open a PR with these changes if you would like. Please let me know!

Yes, please.

@scaprile Please see #2497