4. Add Semgrep action

[witmicko]

migrating semgrep action into monorepo,
core code unchanged from https://github.com/MetaMask/semgrep-action
added monorepo support

---

Note

Adds a monorepo Semgrep action and a unified, callable security scan workflow with language detection, per-language CodeQL, and consolidated rules/tests.

• Workflows
  • Add unified /.github/workflows/security-scan.yml (callable) that:
    • Detects languages, runs CodeQL per-language, runs Semgrep once, and finalizes with optional Slack/metrics.
  • Add /.github/workflows/test-semgrep.yml to validate and test Semgrep rules.
  • Remove legacy /.github/workflows/reusable-codeql.yml and /.github/workflows/security-code-scanner.yml.
• New Package: packages/semgrep-action
  • Add composite action (action.yml) to install Semgrep, run scan with repo rules, and upload SARIF.
  • Add scripts (bin/validate-rules, bin/test, bin/scan), README, and CONTRIBUTING guide.
• Semgrep Rules and Tests
  • Add rules:
    • generic/npx-usage for JSON and shell/Dockerfile.
    • github-actions/publish-actions-cache-used to flag cache usage in publish workflows.
  • Add corresponding test fixtures under rules/test/....
• Changelog & Config
  • Update CHANGELOG.md with multi-language support and repo consolidation; update links.
  • Update package.json (add lint:changelog, bump @metamask/auto-changelog).

^{Written by Cursor Bugbot for commit a5b3e0d. This will update automatically on new commits. Configure here.}

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• istanbul-lib-report@3.0.1
• convert-source-map@2.0.0
• @babel/plugin-syntax-import-meta@7.10.4
• @babel/plugin-syntax-logical-assignment-operators@7.10.4
• @babel/plugin-syntax-numeric-separator@7.10.4
• @octokit/request@8.4.1
• babel-plugin-istanbul@7.0.1
• jest-haste-map@30.2.0
• jest-worker@30.2.0
• @babel/core@7.28.5

View full report

[EllusionN]

We should bring over the CI tests to this repository as well: https://github.com/MetaMask/semgrep-action/blob/main/.github/workflows/test.yml

[EllusionN]

Can you open a follow up PR adding the remaining semgrep rules?

[EllusionN]

Noting CI failure due to linting errors

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​auto-changelog@​4.1.0 ⏵ 5.1.0	+2		+1	+13

View full report

[witmicko]

@SocketSecurity ignore npm/@octokit/request@8.4.1
@SocketSecurity ignore npm/babel-plugin-istanbul@7.0.1
@SocketSecurity ignore npm/jest-haste-map@30.2.0
@SocketSecurity ignore npm/jest-worker@30.2.0
build and cli tools, ok

@SocketSecurity ignore npm/@babel/plugin-syntax-import-meta@7.10.4
@SocketSecurity ignore npm/@babel/plugin-syntax-logical-assignment-operators@7.10.4
@SocketSecurity ignore npm/@babel/plugin-syntax-numeric-separator@7.10.4
@SocketSecurity ignore npm/convert-source-map@2.0.0
@SocketSecurity ignore npm/istanbul-lib-report@3.0.1
authors ok

@SocketSecurity ignore npm/@babel/core@7.28.5
@SocketSecurity ignore npm/istanbul-lib-report@3.0.1