diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml
new file mode 100644
index 0000000000..e0dfdcd9f0
--- /dev/null
+++ b/.github/workflows/semgrep_diff.yml
@@ -0,0 +1,23 @@
+---
+name: Semgrep Differential Scan
+on:
+  pull_request:
+
+jobs:
+  semgrep-diff:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      # Step 1: Clone application source code
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          fetch-depth: 0
+
+      # Step 2: Differential scan
+      - name: Differential scan
+        run: |
+          semgrep scan --error --metrics=off --config="p/trailofbits" \
+            --baseline-commit ${{ github.event.before }}
diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 0000000000..09f86810a2
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1,2 @@
+# Ignore The Nagios Configuration J2 templates, as they are only examples.
+./ansible/playbooks/nagios/roles/Nagios_Config/files/templates/*.j2