Add a CI Job to run a Semgrep scan on this codebase. The job is configured to run only on the main branch because it requires access to the SEMGREP_APP_TOKEN secret which may not be accessible on PRs from external contributors. The job will upload the report as a SARIF file to GitHub for ingestion without having to rely on the Semgrep web application.
Relates to #45
Summary
Add a CI Job to run a Semgrep scan on this codebase. The job is configured to run only on the
main
branch because it requires access to theSEMGREP_APP_TOKEN
secret which may not be accessible on PRs from external contributors. The job will upload the report as a SARIF file to GitHub for ingestion without having to rely on the Semgrep web application.