fix: expand Semgrep ruleset to cover TypeScript, Dockerfile, and shell security

lefthook.yml

@@ -105,7 +105,7 @@ pre-commit:
       run: cd frontend && npm run lint
 
     semgrep:
-      glob: "**/*.{go,ts,tsx,js,jsx,sh,yml,yaml}"
+      glob: "**/*.{go,ts,tsx,js,jsx,sh,yml,yaml,json},Dockerfile*"
       exclude: 'frontend/(coverage|dist|node_modules|\.vite)/'
       run: scripts/pre-commit-hooks/semgrep-scan.sh
 

scripts/pre-commit-hooks/semgrep-scan.sh

@@ -24,10 +24,13 @@ else
   SEMGREP_CONFIGS=(
     --config p/golang
     --config p/javascript
+    --config p/typescript
     --config p/react
     --config p/secrets
+    --config p/dockerfile
+    --config p/bash
   )
-  echo "Running Semgrep with configs: p/golang, p/javascript, p/react, p/secrets"
+  echo "Running Semgrep with configs: p/golang, p/javascript, p/typescript, p/react, p/secrets, p/dockerfile, p/bash"
 fi
 
 semgrep scan \
@@ -38,4 +41,4 @@ semgrep scan \
   --exclude "frontend/node_modules" \
   --exclude "frontend/coverage" \
   --exclude "frontend/dist" \
-  backend frontend/src scripts .github/workflows
+  Dockerfile backend frontend/src scripts .github/workflows