diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml
new file mode 100644
index 00000000..344b69e2
--- /dev/null
+++ b/.github/workflows/code_scan.yml
@@ -0,0 +1,40 @@
+name: Code Scanning
+
+on:
+  push:
+    branches:
+      - releases/*
+  schedule:
+    # every UTC 6PM from Mon to Fri
+    - cron: "0 18 * * 1-5"
+  workflow_dispatch: # run on request (no need for PR)
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  Trivy-Scan:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: |
+          pip install .
+          pip freeze > requirements.txt
+      - name: Trivy Scanning
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: fs
+          scan-ref: requirements.txt
+          format: json
+          output: .tox/trivy-scan-result.spdx.json
+      - name: Upload Trivy results artifact
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: trivy-scan-results
+          path: .tox/trivy-scan-results.spdx.json