From f5e83e01bec962751f9c44daaeace7e38f2b763a Mon Sep 17 00:00:00 2001
From: swyrwiak-cu <122489837+swyrwiak-cu@users.noreply.github.com>
Date: Thu, 25 Jan 2024 11:48:03 +0100
Subject: [PATCH] feat(security): Adding default semgrep workflow
 [CU-8x8uty8zb]

---
 .github/workflows/semgrep.yml | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..26b2007
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,36 @@
+# Name of this GitHub Actions workflow.
+name: Semgrep
+
+on:
+    # Scan changed files in PRs (diff-aware scanning):
+    pull_request:
+        branches: ['main']
+
+    # Schedule the CI job (this method uses cron syntax):
+    schedule:
+        - cron: '0 0 * * MON-FRI'
+
+jobs:
+    semgrep:
+        # User definable name of this GitHub Actions job.
+        name: Scan
+        # If you are self-hosting, change the following `runs-on` value:
+        runs-on: ubuntu-latest
+
+        container:
+            # A Docker image with Semgrep installed. Do not change this.
+            image: returntocorp/semgrep
+
+        # Skip any PR created by dependabot to avoid permission issues:
+        if: (github.actor != 'dependabot[bot]')
+
+        steps:
+            # Fetch project source with GitHub Actions Checkout.
+            - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+            # Run the "semgrep ci" command on the command line of the docker image.
+            - run: semgrep ci
+              env:
+                  # Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
+                  # Generate a token from Semgrep Cloud Platform > Settings
+                  # and add it to your GitHub secrets.
+                  SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}