diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index ddc4ab28e0..ab289bdf5f 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -121,6 +121,25 @@ jobs:
         run: |
           make check-spelling
 
+  semgrep-scan:
+    name: Run Semgrep Scan
+    needs:
+      - check-frontend
+      - pre-commit
+      - spellcheck
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep:1.102.0
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+
+      - name: Run Semgrep scan
+        run: semgrep scan --config p/security-audit
+    timeout-minutes: 10
+
   scan-code:
     name: Run Code Scan
     needs:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d7a9ca998d..147523ed30 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -83,6 +83,17 @@ repos:
       - id: trailing-whitespace
         exclude: pnpm-lock.yaml
 
+  - repo: https://github.com/semgrep/pre-commit
+    rev: v1.148.0
+    hooks:
+      - id: semgrep
+        args:
+          - --config
+          - p/security-audit
+          - --skip-unknown-extensions
+        stages:
+          - manual
+
   - repo: https://github.com/tox-dev/pyproject-fmt
     rev: v2.11.1
     hooks: