diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 0000000..f39a636
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,26 @@
+---
+name: Security (pysentry)
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: "0 8 */3 * *"
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: "Set up Python"
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: ".python-version"
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+      - name: Scan dependencies for vulnerabilities
+        run: uvx pysentry-rs .
diff --git a/.pysentry.toml b/.pysentry.toml
new file mode 100644
index 0000000..2b106e3
--- /dev/null
+++ b/.pysentry.toml
@@ -0,0 +1,50 @@
+version = 1
+
+[defaults]
+format = "human"
+severity = "low"
+fail_on = "medium"
+scope = "all"
+direct_only = false
+detailed = false
+include_withdrawn = false
+no_ci_detect = false
+
+[sources]
+enabled = [
+    "pypa",
+    "pypi",
+    "osv",
+]
+
+[resolver]
+type = "uv"
+
+[cache]
+enabled = true
+resolution_ttl = 24
+vulnerability_ttl = 48
+
+[ignore]
+ids = []
+while_no_fix = []
+
+[http]
+timeout = 120
+connect_timeout = 30
+max_retries = 3
+retry_initial_backoff = 1
+retry_max_backoff = 60
+show_progress = true
+
+[maintenance]
+enabled = true
+forbid_archived = false
+forbid_deprecated = false
+forbid_quarantined = false
+forbid_unmaintained = false
+check_direct_only = false
+cache_ttl = 1
+
+[notifications]
+enabled = true