diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
new file mode 100644
index 00000000..a3d5bffd
--- /dev/null
+++ b/.buildkite/hooks/pre-command
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eu
+pushd "$(dirname "${BASH_SOURCE[0]}")"/../..
+
+# Skip the rest if this is pipeline upload or empty
+if [[ "${BUILDKITE_COMMAND:-}" =~ "buildkite-agent pipeline upload".* ]]; then
+  exit 0
+fi
+
+TOOL_VERSION_FILES=()
+mapfile -d $'\0' TOOL_VERSION_FILES < <(fd .tool-versions --hidden --absolute-path --print0)
+
+for file in "${TOOL_VERSION_FILES[@]}"; do
+  echo "Installing asdf dependencies as defined in ${file}:"
+  parent=$(dirname "${file}")
+  pushd "${parent}"
+
+  asdf install
+
+  popd
+done
+
+popd
diff --git a/.tool-verions b/.tool-verions
new file mode 100644
index 00000000..9eb39d5f
--- /dev/null
+++ b/.tool-verions
@@ -0,0 +1 @@
+trivy 0.20.0
diff --git a/buildkite.yml b/buildkite.yml
index ab46103d..84652b68 100644
--- a/buildkite.yml
+++ b/buildkite.yml
@@ -1,4 +1,7 @@
 steps:
+  - label: :lock: trivy - security
+    command: ./buildkite/run-trivy.sh
+    agents: { queue: "standard" }
   - label: ':go:'
     # Note: go fmt on its own ignores testdata/ directories.
     command: test -z $(gfind internal/testdata -type f -name '*.go' -exec gofmt -l {} \;)