From aa2aa16df400732c1f092dddfa16700e880d24cc Mon Sep 17 00:00:00 2001
From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com>
Date: Tue, 30 Sep 2025 10:30:05 +0530
Subject: [PATCH] add php support for sast

---
 .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..f9dad8c1
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,36 @@
+name: CodeQL (php)
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep:latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Semgrep (PHP)
+        run: >
+          semgrep scan
+          --config p/default
+          --include '**/*.php'
+          --include '**/*.phtml'
+          --include '**/*.php5'
+          --include '**/*.php7'
+          --include '**/*.inc'
+          --sarif --output semgrep.sarif
+      - name: Upload SARIF
+        uses: hyperwallet/public-security-workflows/.github/actions/upload-sarif@main
+        if: always()
+        with:
+          sarif_file: semgrep.sarif
\ No newline at end of file