Implementation Plan: Semgrep Scanner

Objective

Implement the Semgrep SAST (Static Application Security Testing) scanning step as a parallel task in the DAG.

Define a task template named scan-semgrep.
Depend on the clone-repo task.
Mount the shared PVC at /workspace.
Run Semgrep with standard or configurable rulesets against the /workspace directory.
Output findings in SARIF format.
Save the output to /workspace/reports/semgrep.sarif.
Ensure the task exits successfully even if vulnerabilities are found, so Phase 3 aggregation can run (e.g., wrap in a script that returns 0).