diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c95e8d..55d7b24 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,3 +18,7 @@ jobs:
       - run: npm ci
       - run: npm run test
       - run: npm audit --audit-level=high
+      - name: Install Semgrep
+        run: python3 -m pip install --user semgrep
+      - name: Semgrep scan
+        run: semgrep scan --config=auto --error --severity=ERROR