Add Semgrep analysis

.github/workflows/reusable-static-analysis.yml

@@ -12,8 +12,8 @@
 permissions: {}
 
 jobs:
-  test:
-    name: ${{ inputs.php }}
+  phpstan:
+    name: PHPStan on PHP ${{ inputs.php }}
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -56,3 +56,26 @@
 
     - name: Run static analysis
       run: composer run test:phpstan
+
+  semgrep:
+    name: Semgrep
+    if: ${{ inputs.php != '7.4' }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    timeout-minutes: 10
+    container:
+      image: semgrep/semgrep
+    steps:
+      - name: Debug
+        run: | #shell
+          echo '${{ toJSON(inputs) }}'
+        shell: bash
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Run semgrep
+        run: semgrep --config "p/wordpress" --verbose .

README.md

@@ -49,6 +49,7 @@ Plugins that use this library all use a similar setup in their workflows:
 	* Uses `reusable-static-analysis.yml`
 		* Installs PHP
 		* Runs static analysis with PHPStan
+		* Runs static analysis with Semgrep
 
 ### Workflow file linting