diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
new file mode 100644
index 0000000..021f0fe
--- /dev/null
+++ b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,41 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request:
+
+  push:
+    branches: ["dev", "main"]
+
+  schedule:
+    - cron: '23 20 * * 1'
+
+  # Manually trigger the workflow
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    name: Scan
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_RULES: >- # more at semgrep.dev/explore
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 
+        with:
+          sarif_file: semgrep.sarif
+        if: always()