A full Actions workflow can be found here
Scanning OWASP WebGoat can have some issues right out of the box where CodeQL might find very little or worse not find anything at all. This is due to the following:
- WebGoat uses JDK 17
- Action uses JDK 8 by default
- Uses Project Lombok
- Future support will be coming to CodeQL natively
- Dependencies are not all present in Dependency Graph
- Using Submission API