chore: prefer gosec for semgrep rule and turn on codeql (#3418)

.github/workflows/security-scan.yml

@@ -6,7 +6,9 @@ on:
   pull_request:
     branches:
       - 'main'
-
+    paths-ignore:
+      - 'website/'
+      
 jobs:
   scan:
     runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}

scan.hcl

@@ -14,12 +14,11 @@ repository {
   
   plugin "semgrep" {
     use_git_ignore = true
-    exclude = ["testing", "website"]
-    config = ["p/r2c-security-audit"]
-    exclude_rule = ["generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var"]
+    exclude = ["*_test.go", "website/*", "testing/*"]
+    config = ["p/gosec"]
   }
   
-  # plugin "codeql" {
-  #  languages = ["go"]
-  # }
+  plugin "codeql" {
+    languages = ["go"]
+   }
 }