fixes for LOC-6730

Author: rounak610

.github/workflows/Semgrep.yml

@@ -27,7 +27,8 @@ jobs:
 
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest (LOC-6730 / INF-002) — tag-mutation is a supply-chain vector.
+      image: returntocorp/semgrep@sha256:9349edbadf90c3f3c0c3f55867625354e89680e6fa10d9034042af52fdb0e0d0
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')