From 3e807008adbb456ccd213042b00d595b0ac86423 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Tue, 28 Oct 2025 15:21:28 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/semgrep.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 38d3405..7a50ca6 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -17,6 +17,9 @@ on:
     - cron: '30 14 * * *'
     # or whatever time works best for your team.
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     # User definable name of this GitHub Actions job.
@@ -33,6 +36,11 @@ jobs:
 
     steps:
       # Fetch project source with GitHub Actions Checkout.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       # Run the "semgrep ci" command on the command line of the docker image.
       - run: semgrep scan --config auto