Add semgrep action and workflow #11

	name: Static Application Security Testing (SAST)
	on:
	workflow_dispatch:
	inputs:
	scan_scope:
	description: "Scan scope (all/changed)"
	required: true
	default: "changed"
	type: choice
	options:
	- all
	- changed
	severity:
	description: "Minimum severity level"
	required: true
	default: "WARNING"
	type: choice
	options:
	- ERROR
	- WARNING
	- INFO
	fail_on_findings:
	description: "Fail workflow if issues found"
	required: true
	default: true
	type: boolean
	pull_request:
	types: [opened, synchronize, reopened]
	branches:
	- main
	- master
	- "feature/**"
	- "release/**"
	push:
	branches:
	- main
	- master
	- "feature/**"
	- "release/**"

	permissions:
	contents: read
	security-events: write
	pull-requests: write # Added for PR comments

	jobs:
	security-scan:
	runs-on: ubuntu-latest
	if: github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.full_name == github.repository
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run Semgrep scan
	id: semgrep
	uses: ./.github/actions/security/semgrep
	with:
	scan_scope: ${{ inputs.scan_scope \|\| 'changed' }}
	severity: ${{ inputs.severity \|\| 'WARNING' }}
	fail_on_findings: ${{ inputs.fail_on_findings \|\| 'true' }}
	config: "p/default"
	output_format: "sarif"

	- name: Upload SARIF results to GitHub Security
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: ${{ steps.semgrep.outputs.report_path }}

	- name: Upload scan results
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: semgrep-results
	path: ${{ steps.semgrep.outputs.report_path }}

Provide feedback