{{- define "template.scan-semgrep" }}
- name: scan-semgrep
      container:
        image: returntocorp/semgrep:1.85.0
        command:
          - sh
          - -c
        args:
          - |
            set -eu
            mkdir -p /workspace/reports
            semgrep scan --config auto --sarif --output /workspace/reports/semgrep.sarif /workspace || true
      volumeMounts:
        - name: workspace
          mountPath: /workspace
{{- end }}