chore(ci): add semgrep security scanning to pre-commit and CI

[SuyashJain17]

Proposed change

Resolves #2984

This PR adds Semgrep static analysis scanning to the OWASP Nest project to detect security vulnerabilities across both backend (Python/Django) and frontend (TypeScript/JavaScript/React) components.

The integration is intentionally minimal and non-intrusive, focusing on visibility first rather than enforcement, so existing developer workflows and CI stability are not impacted.

Summary of changes

1. Local development (optional)

• Added Semgrep as an optional pre-commit hook using stages: [manual]
• Uses the p/security-audit ruleset to focus on real security vulnerabilities and avoid noisy style or best-practice warnings
• The hook is opt-in and does not block regular commits
• Developers can run Semgrep locally using:

  pre-commit run semgrep --all-files

2. CI/CD integration

• Added a new semgrep-scan job to the existing CI/CD workflow

• Runs using the official semgrep/semgrep container image

• Uses the p/security-audit ruleset

• Runs in non-blocking mode (no --error flag) so findings are reported without failing the build

• Includes a bounded timeout to prevent runaway scans

This setup ensures consistent security scanning in CI while allowing the team to review findings before enabling stricter enforcement in future iterations.

Scope of changes

• Modified files:

  • .pre-commit-config.yaml
  • .github/workflows/run-ci-cd.yaml

• No application code, tests, or runtime behavior were changed

Future follow-ups (out of scope for this PR)

• Enable --error once findings are reviewed and addressed

• Promote the pre-commit hook from manual to automatic if adoption is positive

• Add SARIF upload for GitHub Security Dashboard integration

Checklist

• Required: I followed the [contributing workflow]
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Enhanced automated security scanning in the CI/CD pipeline by adding a dedicated Semgrep security-audit job that runs alongside existing checks to catch issues earlier.
  • Added a local pre-commit Semgrep hook so developers run the same security audit checks before committing changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds Semgrep static analysis to the repository: a new CI job semgrep-scan in the GitHub Actions workflow and a Semgrep pre-commit hook configured with the p/security-audit profile for local checks.

Changes

Cohort / File(s)	Summary
CI/CD Security Scanning .github/workflows/run-ci-cd.yaml	Added semgrep-scan job depending on check-frontend, pre-commit, and spellcheck; uses semgrep:1.102.0 container and runs Semgrep with --config p/security-audit; timeout 10 minutes
Pre-commit Hook Integration .pre-commit-config.yaml	Added https://github.com/semgrep/pre-commit at v1.148.0 and a semgrep hook with arguments --config p/security-audit and --skip-unknown-extensions; hook staged as manual

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding Semgrep security scanning to pre-commit and CI/CD workflows.
Description check	✅ Passed	The description thoroughly explains the Semgrep integration, its minimal non-intrusive approach, configuration changes, and future scope.
Linked Issues check	✅ Passed	The PR fully addresses issue #2984 by introducing Semgrep scanning for backend/frontend components in both local and CI/CD environments using the security-audit ruleset.
Out of Scope Changes check	✅ Passed	All changes are scoped to Semgrep configuration in two files (.pre-commit-config.yaml and .github/workflows/run-ci-cd.yaml); no unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

Closing in favor of #3406