diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
index 1ae40099..8b3805c3 100644
--- a/.github/workflows/semgrep-analysis.yml
+++ b/.github/workflows/semgrep-analysis.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v4
       - run: semgrep ci --sarif > semgrep.sarif
         env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+          SEMGREP_RULES: p/default
       - uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
diff --git a/.github/workflows/semgrep-pro-analysis.yml b/.github/workflows/semgrep-pro-analysis.yml
new file mode 100644
index 00000000..1ae40099
--- /dev/null
+++ b/.github/workflows/semgrep-pro-analysis.yml
@@ -0,0 +1,30 @@
+name: semgrep
+on:
+  push:
+    branches: [master, next]
+  pull_request: {}
+  workflow_dispatch: {}
+  schedule:
+    - cron: "28 6 * * 4"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    container:
+      image: semgrep/semgrep
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: semgrep.sarif