diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
new file mode 100644
index 000000000..86700d67e
--- /dev/null
+++ b/.github/workflows/static-analysis.yaml
@@ -0,0 +1,25 @@
+name: static-analysis
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+
+jobs:
+  static-analysis:
+    name: static-analysis
+    runs-on: ubuntu-20.04-8core
+    container: gcr.io/solo-public/envoy-build-ubuntu:0.4.25
+    steps:
+    - uses: actions/checkout@v3
+    - name: Add safe directory
+      run: git config --global --add safe.directory /__w/envoy-gloo/envoy-gloo
+    - name: Run static analysis
+      run: ci/static_analysis.sh
+    - name: Archive static analysis results
+      if: ${{ !cancelled() }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: static-analysis-report
+        path: linux/amd64/analysis/scan-build-*/
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index 1eb6e0425..8b364657f 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -1,14 +1,17 @@
 REPOSITORY_LOCATIONS = dict(
+    # can't have more than one comment between envoy line and commit line in 
+    # order to accommodate `check_extensions_build_config.sh`
     envoy = dict(
         # envoy 1.29.2 with backported ext_proc updates
-        commit = "b5c77750dc0f9de19478c89776f580fb9336fc99",
+        commit = "07d43f271290583b3019a1172420d4b33bd52153", # v1.29.2-fork1
         remote = "https://github.com/solo-io/envoy-fork",
     ),
     inja = dict(
         # Includes unmerged modifications for
         # - JSON pointer syntax support
         # - Allowing escaped strings
-        commit = "3aa95b8b58a525f86f79cb547bf937176c9cc7ff", # v3.4.0-patch1
+        # - Patching dangling reference
+        commit = "1ee6ec1b89e73f1257b27242f394979f6de85e77", # v3.4.0-patch3
         remote = "https://github.com/solo-io/inja", # solo-io fork including the changes
     ),
     json = dict(
diff --git a/changelog/v1.29.2-patch2/static-analysis.yaml b/changelog/v1.29.2-patch2/static-analysis.yaml
new file mode 100644
index 000000000..861f3a6d7
--- /dev/null
+++ b/changelog/v1.29.2-patch2/static-analysis.yaml
@@ -0,0 +1,15 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/envoy-gloo-ee/issues/687
+  resolvesIssue: false
+  description: >-
+    Adds definition for static analysis check, bump to patched dependencies to resolve
+    issues uncovered by the check.
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: envoy-fork
+  dependencyTag: v1.29.2-fork1
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: inja
+  dependencyTag: v3.4.0-patch3