ci: add Semgrep SAST scanning on pull requests (#95)

Made-with: Cursor

Author: ulziibay-kernel

.github/workflows/semgrep.yml

@@ -0,0 +1,17 @@
+name: Semgrep
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    uses: kernel/security-workflows/.github/workflows/semgrep.yml@main
+    with:
+      extra-configs: '--config p/javascript --config p/typescript'
+      codebase-description: 'Hosted MCP server handling authenticated tool execution and browser session data'
+    secrets: inherit

.semgrepignore

@@ -0,0 +1,8 @@
+node_modules/
+dist/
+.next/
+out/
+bun.lock
+package-lock.json
+**/*.test.ts
+**/*.spec.ts