Set up continuous SAST with Semgrep

Add a Static Application Security Test (SAST) scan with Semgrep [1].
Semgrep supports scanning JavaScript, Dockerfiles, and configuration
files such as GitHub Actions workflows.

Harden-runner is not configured for this job because it doesn't work
with container-based jobs.

--
1. https://semgrep.dev

Author: ericcornelissen

.github/workflows/check.yml

@@ -114,6 +114,18 @@ jobs:
       - name: Lint YAML
         if: ${{ failure() || success() }}
         run: make lint-yml
+  semgrep:
+    name: Semgrep
+    runs-on: ubuntu-22.04
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: Perform Semgrep analysis
+        run: semgrep ci
   test:
     name: Test
     runs-on: ubuntu-22.04