diff --git a/.github/workflows/semgrep-sast.yml b/.github/workflows/semgrep-sast.yml
new file mode 100644
index 0000000..99924de
--- /dev/null
+++ b/.github/workflows/semgrep-sast.yml
@@ -0,0 +1,25 @@
+name: Semgrep-SAST
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - '**' # Triggers on any branch for pull requests
+
+jobs:
+  docker-security-scans:
+    name: Docker security scans
+    runs-on: ubuntu-latest
+    container:
+      # Use the latest Semgrep Docker image
+      image: returntocorp/semgrep:latest
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep ci
+        env:
+          SEMGREP_RULES: "p/owasp-top-ten" # more at semgrep.dev/explore