security(semgrep): add a semgrep workflows

Author: moscaale

.github/workflows/security.yml

@@ -0,0 +1,35 @@
+name: Security Scans
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types:
+      - published
+      - edited
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        run: semgrep ci --config auto --sarif --output semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} # Optionnel
+
+      - name: Upload results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: semgrep.sarif