diff --git a/.github/workflows/pr-security-scanning.yml b/.github/workflows/pr-security-scanning.yml
new file mode 100644
index 00000000..d28eb03f
--- /dev/null
+++ b/.github/workflows/pr-security-scanning.yml
@@ -0,0 +1,26 @@
+name: "[pr] Report: Scan for Security Vulnerabilities"
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  run-security-scan:
+    runs-on: 
+      - ephemeral
+      - ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run composite security scanning
+        id: security-scanning
+        uses: customerio/cio-actions/security-scanning@main
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on pull request
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-path: ${{ steps.security-scanning.outputs.semgrep_report_path }}