Add Semgrep OWASP Top 10 security scan workflow

Runs on push/PR to main, weekly on Mondays, and on-demand.
Uploads SARIF results to GitHub Security tab.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: allanhaggett

.github/workflows/semgrep-owasp.yml

@@ -0,0 +1,49 @@
+name: Semgrep OWASP Top 10 Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 8 * * 1'  # Weekly on Monday at 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  semgrep-owasp:
+    name: OWASP Top 10 Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep OWASP Top 10 scan
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/owasp-top-ten
+        env:
+          SEMGREP_RULES: >-
+            p/owasp-top-ten
+
+      - name: Run Semgrep (SARIF output)
+        if: always()
+        run: |
+          pip install semgrep
+          semgrep scan \
+            --config p/owasp-top-ten \
+            --sarif \
+            --output semgrep-results.sarif \
+            . || true
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-results.sarif
+          category: semgrep-owasp