diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5ace460
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 0000000..4c0a1c5
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,51 @@
+name: NVD Vulnerability Scan
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  nvd-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Clojure
+        uses: DeLaGuardo/setup-clojure@13.1
+        with:
+          cli: latest
+
+      - name: Cache NVD database
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp
+          key: nvd-db-${{ github.run_id }}
+          restore-keys: nvd-db-
+
+      - name: Run nvd-clojure scan
+        run: |
+          clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd
+          clojure -Tnvd nvd.task/check :classpath '"'"$(clojure -Spath)"'"' :config-filename '"nvd-config.json"' || true
+
+      - name: Convert to SARIF (if results exist)
+        if: always()
+        run: |
+          if [ -f target/nvd/dependency-check-report.json ]; then
+            echo "NVD scan completed. Results available in target/nvd/"
+            # Upload raw results as artifact since nvd-clojure doesn't produce SARIF natively
+          fi
+
+      - name: Upload NVD report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: nvd-vulnerability-report
+          path: target/nvd/
+          if-no-files-found: ignore