diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index 0a6ad4a..0000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: CodeQL
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  schedule:
-    - cron: "12 1 * * 0" 
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: csharp
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
-        with:
-          category: "/language:csharp"
\ No newline at end of file
diff --git a/.github/workflows/semgrep-full-scan.yaml b/.github/workflows/semgrep-full-scan.yaml
new file mode 100644
index 0000000..386944c
--- /dev/null
+++ b/.github/workflows/semgrep-full-scan.yaml
@@ -0,0 +1,37 @@
+name: Semgrep Full Scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 9 * * 6'
+
+jobs:
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep
\ No newline at end of file
diff --git a/.github/workflows/semgrep-pull-request.yml b/.github/workflows/semgrep-pull-request.yml
new file mode 100644
index 0000000..868be1c
--- /dev/null
+++ b/.github/workflows/semgrep-pull-request.yml
@@ -0,0 +1,25 @@
+name: Semgrep Pull Request Scan
+on:
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - name: clone application source code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: pull request scan
+        run: |
+          semgrep scan \
+            --error \
+            --verbose \
+            --time \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config="p/default"
\ No newline at end of file