diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
new file mode 100644
index 00000000..6296a815
--- /dev/null
+++ b/.github/workflows/snyk-security.yml
@@ -0,0 +1,40 @@
+name: Snyk Security Scan
+
+on:
+  workflow_call:
+  push:
+
+jobs:
+  snyk-deps-scan:
+    name: Snyk Dependencies Scan
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: datum-cloud/actions/.github/workflows/snyk-scan.yaml@59769c197eef6e792c22365a03b1b674033b4657
+    with:
+      command: "test"
+      fail-on-issues: false
+      severity-threshold: "low"
+      args: "--report --strict-out-of-sync=false"
+      upload-sarif: false
+      debug: false
+      snyk-org: ${{ vars.SNYK_ORG }}
+    secrets: inherit
+
+  snyk-code-scan:
+    name: Snyk Code Scan (SAST)
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: datum-cloud/actions/.github/workflows/snyk-scan.yaml@59769c197eef6e792c22365a03b1b674033b4657
+    with:
+      command: "code test"
+      fail-on-issues: false
+      severity-threshold: "low"
+      args: "--report"
+      upload-sarif: false
+      debug: false
+      snyk-org: ${{ vars.SNYK_ORG }}
+    secrets: inherit