security(semgrep): add a semgrep workflows

[moscaale]

Description

In this PR, semgrep is integrated in order to run SAST tools in OGL and possibly detect any malicious code before pushing into PROD.

Overview

This section provides a checklist to help categorize and describe the changes made in this PR.

Area

Please select the area(s) that this PR affects:

• Core / Global project settings
• API
• Playground / Web UI
• DevOps
• Docusaurus / Documentation
• Other (specify below)

If "Other" is selected, please provide more details about the area(s) affected by this PR here, otherwise delete this part.

Type of change

Please select the type of change that this PR introduces:

• New feature
• Bugfix
• Enhancement (improvement of an existing feature)
• Refactor (change that neither fixes a bug nor modifies behavior)
• Documentation
• Tests
• Performance improvement
• Chore / Maintenance (change to the build process or auxiliary tools, dependencies update, etc.)

Definition of Done / Technical changes

Please provide the Definition of Done (DoD) criteria that apply to this PR.

• DoD 1
• DoD 2
• DoD 3
• ...

Screenshots / Demo (if applicable)

Please, attach screenshots or a link to a demo / video demonstrating the changes made in this PR.

Breaking changes

Please select one of the following options:

• No breaking changes
• This PR contains breaking changes (explain below)

Please describe the breaking change introduced by this PR here, otherwise delete this part.

NB: A breaking change is a modification that is not backwards-compatible and/or changes current functionality.

Quality assurance & Review readiness

Before requesting a review, please take a moment to confirm that the following aspects have been considered and addressed.

This section helps ensure the PR is ready for review, safe to merge, and deployable. If any items are left unchecked, please add a brief explanation for context.

Documentation

Please select one of the following options:

• No documentation needed
• README / Markdown files updated
• API documentation updated (Swagger / Redoc)
• Docstrings updated
• Inline code comments added where needed

Tests

Please select one or more of the following options:

• No tests added (explain below)
• Unit tests added
• Integration tests added
• Functional tests added
• End-to-end tests added
• Performance tests added
• Existing tests updated

We are not modifying the code of OGL

NB: For a concise overview of software testing types, see this Atlassian's guide.

Code Standards

• Code follows project conventions and architecture
• No unused imports, variables, functions, or classes
• No debug logs or commented-out code left
• No secrets or environment variables committed in clear text
• Code is linted and formatted using the project tools (ruff, etc.)
• N/A

Git & Process Standards

• PR title follows Conventional Commits
• PR is correctly labeled
• PR is linked to relevant issue(s) / project(s) https://github.com/etalab-ia/albert-api/issues/660
• Author is assigned to the PR
• At least one reviewer has been requested

Deployment Notes

• No special deployment steps required
• Requires database migration (see "Database migration" section)
• Requires new or updated environment variables (explain below)
• Requires other special deployment steps (explain below)

If new or updated environment variables are required, please list them here, otherwise delete this part.
If other special deployment steps are required, please describe them here, otherwise delete this part.

Database migration

Please select one of the following options:

• No database migration required
• This PR requires a database migration (see checklist below)

Please confirm that the following steps have been completed for the database migration:

• Migration script added to api/alembic/versions/ folder
• Migration upgrade tested locally
• Migration downgrade tested locally
• Migration documented (if applicable)

Reviewer Focus

Please provide any specific areas you would like the reviewers to focus on during their review of this PR (complex logic, risky changes, performance-sensitive code, etc.).

Additional Notes

Please provide any additional information or context that may be relevant to this PR, otherwise delete this part.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.