diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..31b8148
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,55 @@
+name: Security Scans
+
+on:
+  push:
+    branches: [ main, security ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install Bandit with TOML support
+      run: pip install "bandit[toml,sarif]"
+
+    - name: Run Bandit security scan
+      run: bandit -r . -c pyproject.toml -f sarif -o bandit-results.sarif || true
+
+    - name: Upload Bandit results
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: bandit-results.sarif
+        category: bandit
+
+  gitleaks:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+
+    - name: Gitleaks secret scan
+      uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
diff --git a/pyproject.toml b/pyproject.toml
index e3ed32b..749acc3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -30,3 +30,8 @@ classifiers = [
 
 [project.scripts]
 pkoffee = "pkoffee.cli:main"
+
+[tool.bandit]
+exclude_dirs = ["tests", "doc", "analysis", ".pixi"]
+tests = ["B301","B302","B303","B304","B403","B506","B602","B603","B604","B605","B105"]
+skips = ["B101","B104","B110"]
\ No newline at end of file