diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 9a8c373..acdc2e6 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -42,7 +42,7 @@ jobs:
           fi
 
   docker:
-    name: Build & push ${{ matrix.service }}
+    name: Build, scan & push ${{ matrix.service }}
     runs-on: ubuntu-latest
     needs: tag
     strategy:
@@ -76,6 +76,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to Gitea container registry
         uses: docker/login-action@v3
         with:
@@ -83,7 +86,26 @@ jobs:
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
-      - name: Build and push
+      - name: Build image locally
+        uses: docker/build-push-action@v5
+        with:
+          context: templates/${{ matrix.service }}
+          load: true
+          push: false
+          tags: decnet-${{ matrix.service }}:scan
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: decnet-${{ matrix.service }}:scan
+          exit-code: "1"
+          severity: CRITICAL
+          ignore-unfixed: true
+
+      - name: Push image
+        if: success()
         uses: docker/build-push-action@v5
         with:
           context: templates/${{ matrix.service }}
@@ -91,3 +113,4 @@ jobs:
           tags: |
             ${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:latest
             ${{ env.REGISTRY }}/${{ env.OWNER }}/decnet-${{ matrix.service }}:v${{ needs.tag.outputs.version }}
+          cache-from: type=gha
diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
new file mode 100644
index 0000000..1778512
--- /dev/null
+++ b/.gitea/workflows/security.yml
@@ -0,0 +1,29 @@
+name: Security
+
+on:
+  push:
+    branches: [dev, testing]
+
+jobs:
+  bandit:
+    name: SAST (bandit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install bandit
+      - run: bandit -r decnet/ -ll -x decnet/services/registry.py
+
+  pip-audit:
+    name: Dependency audit (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install pip-audit
+      - run: pip install -e .
+      - run: pip-audit
diff --git a/pyproject.toml b/pyproject.toml
index 817ae56..ddc1664 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,6 +15,8 @@ dependencies = [
     "jinja2>=3.1",
     "pytest>=8.0",
     "ruff>=0.4",
+    "bandit>=1.7",
+    "pip-audit>=2.0",
 ]
 
 [project.scripts]