diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..385eb4c
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @p5
diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 0000000..a1961c6
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,33 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:best-practices"
+    ],
+    "packageRules": [
+        {
+            // Automatically update minor versions of common GitHub Actions
+            "automerge": true,
+            "matchManagers": [
+                "github-actions"
+            ],
+            "matchUpdateTypes": [
+                "minor",
+                "patch",
+                "pin",
+                "digest",
+                "pinDigest"
+            ],
+            "matchDepNames": [
+                "actions/checkout",
+                "actions/setup-node",
+                "actions/setup-go",
+                "trufflesecurity/trufflehog",
+                "actions/dependency-review-action",
+                "advanced-security/set-codeql-language-matrix",
+                "github/codeql-action/init",
+                "github/codeql-action/autobuild",
+                "github/codeql-action/analyze"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..3d39cc1
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,29 @@
+name: Renovate
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json"
+      - ".github/renovate.json5"
+      - "renovate.json"
+      - "renovate.json5"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
+        with:
+          node-version: latest
+
+      # Hosted Renovate should use the latest available version, so always
+      # install the newest version of Renovate
+      - name: Install dependencies
+        run: npm install -g renovate
+
+      - name: Validate Renovate config
+        run: renovate-config-validator --strict
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..a7da585
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,92 @@
+name: Security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * 1" # Run every Monday at 00:00 UTC
+
+jobs:
+  dependency-review:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4
+        with:
+          fail-on-severity: high
+
+  secrets-scan:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@b9dd330365132cd2d01dd5dc8a857a056a2544e1 # v3.79.0
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --only-verified
+
+  codeql-setup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.languages }}
+    steps:
+      - name: Get languages from repo
+        id: set-matrix
+        uses: advanced-security/set-codeql-language-matrix@975244ea2e4c0668b8d289ac2b61fa7f0976f328 # v1
+        with:
+          access-token: ${{ secrets.GITHUB_TOKEN }}
+          endpoint: ${{ github.event.repository.languages_url }}
+
+  codeql-scan:
+    if: ${{ needs.create-matrix.outputs.matrix != '' }}
+    needs: codeql-setup
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      # CodeQL uses an older version of Go, so we should set it up ourselves
+      # so our project can be built with the required version
+      - name: Setup Go
+        if: ${{ matrix.language == 'go' }}
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/README.md b/README.md
index 525a1af..b4cc95f 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,5 @@
-# dmarc-monitor
\ No newline at end of file
+# dmarc-monitor
+
+A serverless-first application that helps organizations monitor their DMARC records and reports.
+
+This will be a playground for me to experiment with various developer frameworks, AWS services and serverless architectures, and not currently intended for production use.