diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 00000000..26163bad
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,48 @@
+name: Semgrep Full Scan
+
+on:
+    push:
+      branches:
+        - '**'
+      tags-ignore:
+        - '*'
+    pull_request:
+    schedule:
+      - cron: '42 2 * * 3'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+
+        - name: clone application source code
+          uses: actions/checkout@v4
+          with:
+            # We must fetch at least the immediate parents so that if this is
+            # a pull request then we can checkout the head.
+            fetch-depth: 2
+
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        # step 3
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v4
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        # step 4
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v3
+          with:
+            sarif_file: report.sarif
+            category: semgrep
\ No newline at end of file