diff --git a/lefthook.yml b/lefthook.yml
index 0c628e9f..d9ad8b28 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -104,13 +104,9 @@ pre-commit:
       glob: "frontend/**/*.{ts,tsx,js,jsx}"
       run: cd frontend && npm run lint
 
-
-# ============================================================
-# PRE-PUSH  (blocking, runs on push)
-# ============================================================
-pre-push:
-  commands:
     semgrep:
+      glob: "**/*.{go,ts,tsx,js,jsx,sh,yml,yaml}"
+      exclude: 'frontend/(coverage|dist|node_modules|\.vite)/'
       run: scripts/pre-commit-hooks/semgrep-scan.sh
 
 
diff --git a/scripts/pre-commit-hooks/semgrep-scan.sh b/scripts/pre-commit-hooks/semgrep-scan.sh
index e49e360b..f2423b09 100755
--- a/scripts/pre-commit-hooks/semgrep-scan.sh
+++ b/scripts/pre-commit-hooks/semgrep-scan.sh
@@ -15,13 +15,23 @@ fi
 
 cd "${REPO_ROOT}"
 
-# Default to p/golang for speed (~30s vs 60-180s for auto).
-# Override with: SEMGREP_CONFIG=auto git push
-readonly SEMGREP_CONFIG_VALUE="${SEMGREP_CONFIG:-p/golang}"
+# Default: full security ruleset covering Go backend, JS/TS/React frontend, secrets.
+# Override with: SEMGREP_CONFIG=auto git commit (runs all Semgrep rules, ~3-5 min)
+if [ -n "${SEMGREP_CONFIG:-}" ]; then
+  SEMGREP_CONFIGS=(--config "${SEMGREP_CONFIG}")
+  echo "Running Semgrep with override config: ${SEMGREP_CONFIG}"
+else
+  SEMGREP_CONFIGS=(
+    --config p/golang
+    --config p/javascript
+    --config p/react
+    --config p/secrets
+  )
+  echo "Running Semgrep with configs: p/golang, p/javascript, p/react, p/secrets"
+fi
 
-echo "Running Semgrep with config: ${SEMGREP_CONFIG_VALUE}"
 semgrep scan \
-  --config "${SEMGREP_CONFIG_VALUE}" \
+  "${SEMGREP_CONFIGS[@]}" \
   --severity ERROR \
   --severity WARNING \
   --error \