diff --git a/.github/workflows/build-on-pull-request.yml b/.github/workflows/build-on-pull-request.yml
index aa45bf5..6a12ab9 100644
--- a/.github/workflows/build-on-pull-request.yml
+++ b/.github/workflows/build-on-pull-request.yml
@@ -3,27 +3,6 @@ on:
   pull_request:
     branches: [master]
 jobs:
-  #  sast-scan:
-  #    runs-on: ubuntu-latest
-  #    # Skip any PR created by dependabot to avoid permission issues:
-  #    if: (github.actor != 'dependabot[bot]')
-  #    steps:
-  #      - uses: actions/checkout@v5
-  #      - uses: actions/setup-node@v4
-  #        with:
-  #          node-version: "22"
-  #      - run: npm install -g snyk
-  #      - run: snyk config set api=${{ secrets.SNYK_API_KEY }}
-  #      - run: snyk code test src/main
-  malware-scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - name: Malware Scanner # https://github.com/dell/common-github-actions/blob/main/malware-scanner/README.md
-        uses: dell/common-github-actions/malware-scanner@main
-        with:
-          directories: .
-          options: -ri
   build-and-test:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/scan-malware.yml b/.github/workflows/scan-malware.yml
new file mode 100644
index 0000000..3798846
--- /dev/null
+++ b/.github/workflows/scan-malware.yml
@@ -0,0 +1,14 @@
+name: scan-malware
+on:
+  pull_request:
+    branches: [master]
+jobs:
+  scan-malware:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Malware Scanner # https://github.com/dell/common-github-actions/blob/main/malware-scanner/README.md
+        uses: dell/common-github-actions/malware-scanner@main
+        with:
+          directories: .
+          options: -ri
diff --git a/.github/workflows/scan-semgrep.yml b/.github/workflows/scan-semgrep.yml
new file mode 100644
index 0000000..73b5615
--- /dev/null
+++ b/.github/workflows/scan-semgrep.yml
@@ -0,0 +1,19 @@
+name: scan-semgrep
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  merge_group:
+    types: [checks_requested]
+jobs:
+  scan-semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    # Skip any PR created by dependabot and any check triggered by merge group
+    if: (github.actor != 'dependabot[bot]') && (github.event != 'merge_group')
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 04e06f6..1a0dfb1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ output.xml
 .project
 .settings
 .DS_Store
+.dccache
diff --git a/src/main/java/io/codeclou/java/junit/xml/merger/JunitXmlParser.java b/src/main/java/io/codeclou/java/junit/xml/merger/JunitXmlParser.java
index 614fca1..2eaba78 100644
--- a/src/main/java/io/codeclou/java/junit/xml/merger/JunitXmlParser.java
+++ b/src/main/java/io/codeclou/java/junit/xml/merger/JunitXmlParser.java
@@ -52,8 +52,9 @@ public class JunitXmlParser {
     private Boolean hasFileNotFoundErrors = false;
 
     protected TestSuite parseTestSuite(File filename) throws ParserConfigurationException, SAXException, IOException {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        DocumentBuilder builder = factory.newDocumentBuilder();
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        DocumentBuilder builder = dbf.newDocumentBuilder();
         Document document = builder.parse(filename);
         return transform(document.getFirstChild());
     }