ci(semgrep): add pre-commit hook with default ruleset

[wajidzahoor-dls]

Summary

• Add Semgrep as a pre-commit hook to help catch security issues and common bug patterns early.
• Use Semgrep’s default ruleset (p/default) for broad multi-language coverage.
• Configure Semgrep to:
  • Fail the commit when findings are present (--error).
  • Skip unknown file extensions to reduce noise.

Only the pre-commit configuration is updated; no application code changes are included.

---

How to test

Testing depends on your environment:

• Devcontainer: pre-commit hooks (including Semgrep) are installed automatically.
• CI: Semgrep runs as part of the existing pre-commit lint stage.

To manually verify Semgrep runs:

pre-commit run semgrep --all-files

This should report findings if any tracked files violate rules.

---

Optional spot check

Create a temporary file, for example tmp_bad.py, that contains a few intentionally unsafe patterns such as:

import subprocess
import hashlib

user_input = input("Enter something: ")
eval(user_input)

subprocess.Popen(user_input, shell=True)

hashlib.md5(b"password").hexdigest()

Then add and commit the file; the Semgrep pre-commit hook should run automatically and report findings.
Remove the file afterwards.

---

Notes

• Semgrep’s registry-based rules send pseudonymous metrics by default; this can be disabled later if required.
• Like other static analysis tools, Semgrep may occasionally produce false positives (flagging safe code) or false negatives (missing issues), but it seems to provide meaningful early detection with minimal configuration.
• False positives can be suppressed using # nosemgrep (and other inline ignore directives) as described in the Semgrep docs: https://semgrep.dev/docs/ignoring-files-folders-code/
• For detailed documentation of Semgrep, see: https://semgrep.dev/docs/

---

Reviewer checks

• Semgrep runs as a pre-commit hook
• CI passes with Semgrep enabled
• No unintended changes beyond .pre-commit-config.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.37%. Comparing base (0f75fa1) to head (96b006f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #272   +/-   ##
=======================================
  Coverage   90.37%   90.37%           
=======================================
  Files          68       68           
  Lines        2368     2368           
=======================================
  Hits         2140     2140           
  Misses        228      228           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[GDYendell]

I have fixed some findings and ignored others, so it is passing now. The problem I have with this is it is very slow. Taking between 30 and 90 seconds it definitely can't be a pre-commit hook. Could we have it just as CI instead? Is there any way to speed it up?

I am also quite confused by the output. It seems to run 4 independent scans and report the findings separately, so it is quite hard to read. Is this a configuration problem?