diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
new file mode 100644
index 000000000..d0254ca2d
--- /dev/null
+++ b/.github/workflows/security-scan.yaml
@@ -0,0 +1,20 @@
+name: Security scan
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - hotfix/*
+      - work/secscan  # For development
+
+jobs:
+  python-scans:
+    name: Scan Python project
+    uses: canonical/starflow/.github/workflows/scan-python.yaml@main
+    with:
+      packages: python-apt-dev
+      # 1. requirements-noble.txt can't build on jammy
+      # 2. Ignore requirements files in spread tests, as some of these intentionally
+      #    contain vulnerable versions.
+      requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*"'
+      osv-extra-args: '--config=source/osv-scanner.toml'
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 000000000..17da2fac1
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,4 @@
+[[IgnoredVulns]]
+id = "CVE-2024-35195"
+ignoreUntil = "2025-01-01T00:00:00Z"
+reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2"