diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
new file mode 100644
index 00000000..a71e4f85
--- /dev/null
+++ b/.github/workflows/kics.yml
@@ -0,0 +1,38 @@
+---
+name: KICS Security Scan
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - info
+          - warning
+          - debug
+  pull_request:
+  merge_group:
+jobs:
+  kics:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Mkdir results-dir
+        # make sure results dir is created
+        run: mkdir -p results-dir
+      - name: run kics Scan
+        uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        with:
+          # path: 'roles,plugins'
+          path: '.'
+          # fail_on: high
+          ignore_on_exit: results
+          output_formats: 'json,sarif'
+          output_path: results-dir
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@af56b044b5d41c317aef5d19920b3183cb4fbbec # v3
+        with:
+          sarif_file: results-dir/results.sarif