ci: add Semgrep SAST scanning on pull requests

[ulziibay-kernel]

Adds Semgrep static analysis on PRs to main via the reusable workflow in kernel/security-workflows. Includes .semgrepignore for generated code, test fixtures, and lock files.

Made with Cursor

---

Note

Low Risk
Low risk: adds CI security scanning and an ignore file without changing runtime code. Main risk is potential PR noise or CI failures from new Semgrep findings/misconfigured ignores.

Overview
Adds a new GitHub Actions workflow, semgrep.yml, to run Semgrep SAST on pull requests targeting main via the reusable kernel/security-workflows workflow, with JavaScript/TypeScript rules enabled.

Introduces .semgrepignore to exclude common generated/build outputs, dependencies, lockfiles, and test files from scanning.

^{Reviewed by Cursor Bugbot for commit 72a946a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mcp	Ready	Preview, Comment	Apr 10, 2026 5:34pm

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR only modifies CI configuration and Semgrep ignore files, not kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 72a946a. Configure here.}

[cursor]

Semgrepignore misses .tsx test file patterns

Low Severity

The .semgrepignore excludes **/*.test.ts and **/*.spec.ts but not **/*.test.tsx and **/*.spec.tsx. Since .semgrepignore uses .gitignore-style glob matching, a *.ts pattern does not match .tsx files. This is a Next.js/React project with .tsx files throughout (page.tsx, layout.tsx, component files), so React component tests will naturally use .test.tsx/.spec.tsx extensions and won't be excluded from scanning, contradicting the stated intent.

 

^{Reviewed by Cursor Bugbot for commit 72a946a. Configure here.}

[Sayan-]

LGTM — standard Semgrep reusable workflow rollout. JS/TS configs and .semgrepignore look correct.