diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
new file mode 100644
index 0000000..c88da4d
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,39 @@
+name: 🛡️ Security Scan (Latest)
+
+on:
+  workflow_dispatch: ~
+  schedule:
+    - cron: "0 14 * * *"
+
+permissions:
+  contents: read
+  packages: read
+  security-events: write
+
+jobs:
+  trivy_scan:
+    name: Trivy scan container images
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        image_ref:
+          - ghcr.io/skpr/node:24-v3-latest
+          - ghcr.io/skpr/node:dev-24-v3-latest
+          - ghcr.io/skpr/node:22-v3-latest
+          - ghcr.io/skpr/node:dev-22-v3-latest
+          - ghcr.io/skpr/node:20-v3-latest
+          - ghcr.io/skpr/node:dev-20-v3-latest
+
+    steps:
+      - name: 🔑 Log in to the GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 🛡️ Scan + upload (Trivy SARIF)
+        uses: skpr/image-scan-action@v1
+        with:
+          image-ref: ${{ matrix.image_ref }}