diff --git a/.github/actions/install_requirements/action.yml b/.github/actions/install_requirements/action.yml
index 7a7bda0d4..f43a5d0eb 100644
--- a/.github/actions/install_requirements/action.yml
+++ b/.github/actions/install_requirements/action.yml
@@ -12,6 +12,7 @@ runs:
   using: composite
   steps:
     - name: Get version of python
+      # nosemgrep
       run: |
         PYTHON_VERSION="${{ inputs.python-version }}"
         if [ $PYTHON_VERSION == "dev" ]; then
@@ -27,7 +28,7 @@ runs:
         python-version: ${{ env.PYTHON_VERSION }}
 
     - name: Install packages
-      run: pip install ${{ inputs.pip-install }}
+      run: pip install ${{ inputs.pip-install }}  # nosemgrep
       shell: bash
 
     - name: Report what was installed
diff --git a/.github/workflows/_tox.yml b/.github/workflows/_tox.yml
index a13536d3a..5419ac221 100644
--- a/.github/workflows/_tox.yml
+++ b/.github/workflows/_tox.yml
@@ -19,4 +19,4 @@ jobs:
         uses: ./.github/actions/install_requirements
 
       - name: Run tox
-        run: tox -e ${{ inputs.tox }}
+        run: tox -e ${{ inputs.tox }}  # nosemgrep
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ac9d1c556..90c4c1739 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,3 +23,15 @@ repos:
         entry: ruff format --force-exclude
         types: [python]
         require_serial: true
+
+
+  - repo: https://github.com/semgrep/pre-commit
+    rev: v1.144.0
+    hooks:
+      - id: semgrep
+        # Use Semgrep's "default" ruleset and fail the commit on findings
+        args:
+          - --config
+          - p/default
+          - --error
+          - --skip-unknown-extensions
diff --git a/src/fastcs/transports/rest/rest.py b/src/fastcs/transports/rest/rest.py
index f6600f94f..aa3db199a 100644
--- a/src/fastcs/transports/rest/rest.py
+++ b/src/fastcs/transports/rest/rest.py
@@ -71,7 +71,7 @@ async def attr_put(request):
         await attribute.put(cast_from_rest_type(attribute.datatype, request.value))
 
     # Fast api uses type annotations for validation, schema, conversions
-    attr_put.__annotations__["request"] = _put_request_body(attribute)
+    attr_put.__annotations__["request"] = _put_request_body(attribute)  # nosemgrep
 
     return attr_put
 
diff --git a/tests/benchmarking/compose.yaml b/tests/benchmarking/compose.yaml
index f9b68df1d..c36aaaa77 100644
--- a/tests/benchmarking/compose.yaml
+++ b/tests/benchmarking/compose.yaml
@@ -6,6 +6,9 @@ services:
     image: registry.gitlab.com/tango-controls/docker/mysql:5
     environment:
       - MYSQL_ROOT_PASSWORD=root
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
 
   tango-cs:
     hostname: localhost
@@ -20,3 +23,6 @@ services:
       - MYSQL_DATABASE=tango
     depends_on:
       - mysql
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true