diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..8c4f6af
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,27 @@
+## 🛡️ Security Checklist
+*Review and check all that apply before requesting a review.*
+
+- [ ] **Secrets:** I have verified that no API keys, passwords, or certificates are hardcoded.
+- [ ] **Dependencies:** I have checked for known vulnerabilities in any new libraries added.
+- [ ] **Data Handling:** Sensitive data (PII) is encrypted or masked in logs.
+- [ ] **Input Validation:** All user-provided input is sanitized to prevent SQLi or XSS.
+- [ ] **Permissions:** New endpoints or features follow the Principle of Least Privilege.
+
+## ⚙️ Backend & Performance
+- [ ] **Database:** I have checked for N+1 query issues and verified index usage.
+- [ ] **Migrations:** Database migrations are reversible (where applicable) and tested.
+- [ ] **Error Handling:** Errors are caught and returned with appropriate HTTP status codes.
+- [ ] **Scalability:** Large datasets are handled via pagination, not loaded entirely into memory.
+- [ ] **Async:** Long-running tasks are moved to background workers (if applicable).
+
+## 🧪 Testing & Quality
+- [ ] **Unit Tests:** Added/updated tests for the core logic.
+- [ ] **Integration:** Verified that API contracts haven't broken for downstream services.
+- [ ] **Observability:** Added logs or metrics to track the success/failure of this feature.
+- [ ] **Documentation:** Updated Swagger/OpenAPI specs or internal READMEs.
+
+## ✍️ Sign-off
+- [ ] I confirm that I have performed a self-review of this code from a security perspective.
+
+**Reviewer Sign-off:** *(To be completed by the reviewer)*
+- [ ] Security standards verified.
\ No newline at end of file
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
new file mode 100644
index 0000000..0187370
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,26 @@
+name: "Security Scan"
+
+on:
+  pull_request:
+    branches: [ "master" ]
+
+jobs:
+  analyze:
+    name: Analyze Code
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: 'javascript' # Change to your language (python, go, etc.)
+
+      - name: Perform Analysis
+        uses: github/codeql-action/analyze@v3