diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..bce5fc8
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,35 @@
+name: Semgrep
+
+# Run workflow each time code is pushed to your repository.
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Semgrep
+        run: pip install semgrep
+
+      - name: Run Semgrep
+        run: |
+          semgrep --config .semgreprules/customRule.yml --config auto --severity ERROR --sarif . > results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+
+      - name: Upload results
+        uses: actions/upload-artifact@v4
+        with:
+          name: semgrep-results
+          path: results.sarif
diff --git a/.semgreprules/customRule.yml b/.semgreprules/customRule.yml
new file mode 100644
index 0000000..b275e28
--- /dev/null
+++ b/.semgreprules/customRule.yml
@@ -0,0 +1,30 @@
+rules:
+- id: check-sensitive-info
+  message: >-
+    Potential sensitive information found: $1
+  severity: ERROR
+  languages:
+    - yaml
+    - go
+    - javascript
+    - java
+    - python
+    - golang
+    - docker
+  patterns:
+  - pattern-regex: (?i)\b(api[_-]key|api[_-]token|api[_-]secret[_-]key|api[_-]password|token|secret[_-]key|password|auth[_-]key|auth[_-]token|AUTH_PASSWORD)\s*[:=]\s*(['"]?)((?!YOUR_EXCLUSION_PATTERN_HERE)[A-Z]+.*?)\2
+
+- id: check-logger-appconfig
+  message: >-
+    Potential Logging configuration found: $1
+  severity: ERROR
+  languages:
+    - yaml
+    - go
+    - javascript
+    - java
+    - python
+    - golang
+    - docker
+  patterns:
+  - pattern-regex: log\.Logger\(\).*(appConfig).*