[FEATURE] Add Semgrep CI snippet

CI/security/semgrep.yml

@@ -0,0 +1,36 @@
+semgrep:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.12"
+
+    - name: Cache Semgrep
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/semgrep
+        key: semgrep-${{ runner.os }}-${{ hashFiles('**/.semgrepignore') }}
+
+    - name: Install Semgrep
+      run: pip install semgrep==1.72.0
+
+    - name: Run Semgrep
+      run: |
+        set -euo pipefail
+
+        if ! command -v semgrep &> /dev/null; then
+          echo "::error::semgrep not found. Install it before running this script."
+          exit 1
+        fi
+
+        echo "ℹ️ Running Semgrep static analysis..."
+
+        if semgrep --config p/default --error .; then
+          echo "✅ Semgrep passed"
+          exit 0
+        else
+          echo "❌ Semgrep found issues"
+          exit 1
+        fi

README.md

@@ -11,6 +11,7 @@ that projects compose into their own workflows.
 |------|----------|------|
 | gitleaks | security | [CI/security/gitleaks.yml](https://github.com/prog-time/workflows/blob/main/CI/security/gitleaks.yml) |
 | trivy | security | [CI/security/trivy.yml](https://github.com/prog-time/workflows/blob/main/CI/security/trivy.yml) |
+| semgrep | security | [CI/security/semgrep.yml](https://github.com/prog-time/workflows/blob/main/CI/security/semgrep.yml) |
 | ESLint | linters | [CI/linters/eslint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/eslint.yml) |
 | golangci-lint | linters | [CI/linters/golangci-lint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/golangci-lint.yml) |
 | Hadolint | linters | [CI/linters/hadolint.yml](https://github.com/prog-time/workflows/blob/main/CI/linters/hadolint.yml) |
@@ -82,6 +83,7 @@ Workflows/
 │   │   │   └── yamllint.yml
 │   │   ├── security/
 │   │   │   ├── gitleaks.yml
+│   │   │   ├── semgrep.yml
 │   │   │   └── trivy.yml
 │   │   ├── static_analysis/
 │   │   │   ├── mypy.yml
@@ -110,6 +112,7 @@ Workflows/
 │       │   └── yamllint.sh
 │       └── security/
 │           ├── gitleaks.sh
+│           ├── semgrep.sh
 │           └── trivy.sh
 │
 ├── CI/                             # assembled output (ready to use)
@@ -129,6 +132,7 @@ Workflows/
 │   │   └── yamllint.bats
 │   ├── security/
 │   │   ├── gitleaks.bats
+│   │   ├── semgrep.bats
 │   │   └── trivy.bats
 │   └── helpers/
 │       └── common.bash             # shared test utilities (mocks, temp dirs)
@@ -204,6 +208,7 @@ shellcheck:
 |---------|------|----------------|
 | `CI/security/gitleaks.yml` | [gitleaks](https://github.com/gitleaks/gitleaks) | Hardcoded secrets, tokens, and API keys |
 | `CI/security/trivy.yml` | [trivy](https://github.com/aquasecurity/trivy) | CVEs in OS packages, container images, and dependency manifests |
+| `CI/security/semgrep.yml` | [semgrep](https://semgrep.dev) | OWASP Top 10 patterns and insecure coding patterns across Python, JS/TS, Go, Java, Ruby, and more |
 
 ### Linters
 

scripts/CI/security/semgrep.yml

@@ -0,0 +1,20 @@
+semgrep:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.12"
+
+    - name: Cache Semgrep
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/semgrep
+        key: semgrep-${{ runner.os }}-${{ hashFiles('**/.semgrepignore') }}
+
+    - name: Install Semgrep
+      run: pip install semgrep==1.72.0
+
+    - name: Run Semgrep
+      run: bash scripts/shell/security/semgrep.sh

scripts/shell/security/semgrep.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v semgrep &> /dev/null; then
+  echo "::error::semgrep not found. Install it before running this script."
+  exit 1
+fi
+
+echo "ℹ️ Running Semgrep static analysis..."
+
+if semgrep --config p/default --error .; then
+  echo "✅ Semgrep passed"
+  exit 0
+else
+  echo "❌ Semgrep found issues"
+  exit 1
+fi

tests/security/semgrep.bats

@@ -0,0 +1,52 @@
+#!/usr/bin/env bats
+
+load "../helpers/common"
+
+SCRIPT="$BATS_TEST_DIRNAME/../../scripts/shell/security/semgrep.sh"
+
+setup() {
+  setup_test_dir
+  mkdir -p "$TEST_DIR/bin"
+  export PATH="$TEST_DIR/bin:$PATH"
+}
+
+teardown() {
+  teardown_test_dir
+}
+
+make_semgrep_stub() {
+  local exit_code="$1"
+  cat > "$TEST_DIR/bin/semgrep" <<EOF
+#!/usr/bin/env bash
+exit $exit_code
+EOF
+  chmod +x "$TEST_DIR/bin/semgrep"
+}
+
+@test "semgrep not installed: exits 1 with error annotation" {
+  # Do not create a semgrep stub — it should be absent from PATH
+  run bash "$SCRIPT"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"::error::semgrep not found"* ]]
+}
+
+@test "semgrep finds no issues: exits 0 with success message" {
+  make_semgrep_stub 0
+  run bash "$SCRIPT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"✅ Semgrep passed"* ]]
+}
+
+@test "semgrep finds issues: exits 1 with failure message" {
+  make_semgrep_stub 1
+  run bash "$SCRIPT"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"❌ Semgrep found issues"* ]]
+}
+
+@test "scan message is printed before running semgrep" {
+  make_semgrep_stub 0
+  run bash "$SCRIPT"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"ℹ️ Running Semgrep static analysis"* ]]
+}