From 38a4e8958f46d8425d597dd162a9d6a9314e3ad7 Mon Sep 17 00:00:00 2001
From: Michael Contreras <michael@atomicfi.com>
Date: Tue, 16 Dec 2025 09:51:12 -0800
Subject: [PATCH] chore(github): add security checks

---
 .github/workflows/security.yml | 29 +++++++++++++++++++++++++++++
 audit-ci.jsonc                 |  4 ++++
 2 files changed, 33 insertions(+)
 create mode 100644 .github/workflows/security.yml
 create mode 100644 audit-ci.jsonc

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..912608f
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,29 @@
+name: Security
+
+on: [push, workflow_dispatch]
+
+jobs:
+  vuln-dep-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+      - name: npm audit
+        run: npx audit-ci@^6 --config ./audit-ci.jsonc
+  semgrep:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci
+
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
new file mode 100644
index 0000000..48c7f43
--- /dev/null
+++ b/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+  "high": true,
+  "allowlist": [],
+}