From 72a946aa6512c0ce135d12a8fcedfe2ed7cd1290 Mon Sep 17 00:00:00 2001
From: Ulzii Otgonbaatar <ulzii@kernel.sh>
Date: Fri, 10 Apr 2026 11:33:32 -0600
Subject: [PATCH] ci: add Semgrep SAST scanning on pull requests

Made-with: Cursor
---
 .github/workflows/semgrep.yml | 17 +++++++++++++++++
 .semgrepignore                |  8 ++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml
 create mode 100644 .semgrepignore

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..779f894
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/javascript --config p/typescript'
+      codebase-description: 'Hosted MCP server handling authenticated tool execution and browser session data'
+    secrets: inherit
diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 0000000..9abbca4
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1,8 @@
+node_modules/
+dist/
+.next/
+out/
+bun.lock
+package-lock.json
+**/*.test.ts
+**/*.spec.ts