Semgrep supply chain includes extra capability to scan for whether defective code triggering a potential CVE is present.

The task is to examine the efficacy of that technology across a large enough set of repositories belonging to wikimedia as to give us a full assessment of whether its capabilities would be of use to us, or not.

Note: Due to licensing reasons we should only run the commercial version of the tool on the local laptops.