Align Dangerous Workflow check with CodeQL rules, or defer to it entirely

[stone-z]

Perhaps more of a discussion / consideration for the maintainers than a pure feature request, but:

Is your feature request related to a problem? Please describe.
We recently stumbled on a script injection that was not caught by the current Dangerous Workflow check rules. The current check can detect unsafe usage of workflow environment variables, but not cases where those same values are retrieved via the gh CLI tool, which is preinstalled in GitHub Actions runners.

We learned in our investigation that GitHub very recently enabled CodeQL scanning for GitHub Actions, including some rules that do cover the gh CLI case.

Describe the solution you'd like
For repositories without CodeQL workflow scanning enabled, it would be great to have detection coverage for the gh CLI cases from Scorecard. This would be the feature request.

On the flip side, the SAST check already recommends enabling CodeQL, so if the CodeQL GitHub Action checks fully include / are a superset of the Dangerous Workflow checks (I haven't looked into feature parity here), then the Dangerous Workflow check might be redundant for repositories that have CodeQL scanning enabled. I don't personally see any downside (aside from the extra compute) in running both, as long as the results don't conflict. This is maybe a discussion point.

Describe alternatives you've considered
Users can run both tools.

Additional context
N/A

[spencerschrock]

Can you link or paste the usage that wasn't caught?