diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 5e82007..55b767a 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -30,6 +30,26 @@ jobs:
       - name: Build
         run: pnpm build
 
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   deploy-dev:
     if: github.ref == 'refs/heads/dev'
     needs: lint
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index dae73b6..bcc72ce 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -29,3 +29,18 @@ jobs:
 
       - name: Build
         run: pnpm build
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/README.md b/README.md
index 93a9611..cf0601e 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ A personal, opinionated SaaS template built for speed. Next.js 16 + Convex self-
 - [x] Project init script (`bin/init-template.mjs`)
 - [x] PWA Lite installability (manifest + icons)
 - [x] Docker deployment (Dockerfile + docker-compose)
+- [x] Security scanning (Trivy SAST + SCA)
 
 ## Quick Start