From 97ea78d78e8dbd4a792e9896e17d77ccfe7bcb16 Mon Sep 17 00:00:00 2001
From: Sayan Samanta <sayan@onkernel.com>
Date: Wed, 29 Apr 2026 10:56:01 -0700
Subject: [PATCH] ci: add Semgrep SAST scanning on pull requests

Subscribes this repo to the shared Semgrep workflow in
kernel/security-workflows as part of expanding the elevated
vulnerability management scope to customer-facing SDKs
(KERNEL-1191, INC-51 follow-up).

Made-with: Cursor
---
 .github/workflows/semgrep.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..334d1c1
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/python --config p/trailofbits'
+      codebase-description: 'Stainless-generated Python SDK for the Kernel API (public PyPI package used by customers)'
+    secrets: inherit