diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml
new file mode 100644
index 000000000000..edb9148cdd49
--- /dev/null
+++ b/.github/workflows/vulnerability.yml
@@ -0,0 +1,43 @@
+name: "Vulnerability scan"
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # every day at 7am UTC
+    - cron: '0 7 * * *'
+permissions:
+  contents: read
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v3
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          repo-checkout: false
+          go-version-file: go.mod
+      - name: govulncheck for release module
+        uses: golang/govulncheck-action@v1
+        with:
+          repo-checkout: false
+          cache: false # cache will be already setup by previous step
+          work-dir: release
+          go-version-file: release/go.mod