SYNC: Add SAST workflow for security scanning using Semgrep

workflow-templates/sast.yaml

@@ -0,0 +1,30 @@
+name: SAST
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  sast:
+    runs-on: ubuntu-latest
+
+    container:
+      image: semgrep/semgrep
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: Clone Apiiro malicious code ruleset
+        run: git clone https://github.com/apiiro/malicious-code-ruleset.git /apiiro-ruleset
+
+      - name: Run Semgrep SAST scan
+        run: semgrep ci --code --config=auto --config /apiiro-ruleset --json > sast-report.json || true
+
+      - name: Upload SAST report
+        uses: actions/upload-artifact@v4
+        with:
+          name: sast-report
+          path: sast-report.json