diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8484718..5ee3f7c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,3 +21,7 @@ jobs:
       - run: npm run typecheck
       - run: npm run test
       - run: npm audit --audit-level=high
+      - name: Install Semgrep
+        run: python3 -m pip install --user semgrep
+      - name: Semgrep scan
+        run: semgrep scan --config=auto --error --severity=ERROR