PIA-1914: Add semgrep static analyzer to CI

.github/workflows/semgrep.yaml

@@ -0,0 +1,29 @@
+name: Security / Semgrep
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  semgrep:
+    name: Security / Semgrep
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep:1.68.0
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout source repository
+        uses: actions/checkout@v4
+      - name: Scan with Semgrep
+        env:
+          # Connect to Semgrep Cloud Platform
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        run: |
+          semgrep ci \
+            --code \
+            --secrets \
+            --supply-chain \
+            --pro \
+            --no-suppress-errors