This adds semgrep rules, adds a Makefile rule to run it, adds a job in the pipeline, and also fixes warnings.