diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d4fdfc3e..2531a8db 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -93,6 +93,40 @@ test_build:
     - if: $CI_PIPELINE_SOURCE == "push"
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
+semgrep:
+  # A Docker image with Semgrep installed.
+  image: semgrep/semgrep
+
+  rules:
+    # Scan changed files in MRs, (diff-aware scanning):
+    - if: $CI_MERGE_REQUEST_IID
+
+    # Scan mainline (default) branches and report all findings.
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+  variables:
+    # Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
+    # Generate a token from Semgrep AppSec Platform > Settings
+    # and add it as a variable in your GitLab CI/CD project settings.
+    SEMGREP_APP_TOKEN: $SEMGREP_APP_TOKEN
+
+    # Upload findings to GitLab SAST Dashboard:
+    SEMGREP_GITLAB_JSON: "1"
+
+  # Other optional settings in the `variables` block:
+
+  # Receive inline MR comments (requires Semgrep AppSec Platform account)
+  # Setup instructions:
+  # https://semgrep.dev/docs/semgrep-appsec-platform/gitlab-mr-comments
+  #   GITLAB_TOKEN: $PAT
+
+  # Run the "semgrep ci" command on the command line of the docker image and send findings
+  # to GitLab SAST.
+  script: semgrep ci --gitlab-sast > gl-sast-report.json || true
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+
 # Actual release -- triggered by pushing a new version tag
 
 release_job: