diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index da7fd6b..c8c28c8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,6 +72,41 @@ jobs:
       - name: Build
         run: pnpm build
 
+  test:
+    name: Unit & Integration Tests
+    runs-on: ubuntu-latest
+    needs: lint-and-typecheck
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Generate Prisma client
+        run: pnpm --filter db db:generate
+        env:
+          DATABASE_URL: "postgresql://localhost:5432/test"
+
+      - name: Run unit and integration tests
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            pnpm test -- --affected
+          else
+            pnpm test
+          fi
+
   validate-schema:
     name: Validate Prisma Schema
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..24b9783
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "27 6 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (javascript-typescript)
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+          build-mode: none
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:javascript-typescript"
diff --git a/package.json b/package.json
index ab478c0..d49f181 100644
--- a/package.json
+++ b/package.json
@@ -5,6 +5,7 @@
     "build": "turbo run build",
     "dev": "turbo run dev",
     "lint": "turbo run lint",
+    "test": "turbo run test",
     "format": "prettier --write \"**/*.{ts,tsx,md}\"",
     "check-types": "turbo run check-types"
   },
diff --git a/packages/db/package.json b/packages/db/package.json
index cc45130..095f812 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -22,8 +22,7 @@
     "db:push": "prisma db push",
     "db:migrate": "prisma migrate dev",
     "db:migrate:deploy": "prisma migrate deploy",
-    "db:validate": "prisma validate",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "db:validate": "prisma validate"
   },
   "keywords": [],
   "author": "",
diff --git a/turbo.json b/turbo.json
index ce0cc5a..846878b 100644
--- a/turbo.json
+++ b/turbo.json
@@ -13,6 +13,10 @@
     "check-types": {
       "dependsOn": ["^check-types"]
     },
+    "test": {
+      "dependsOn": ["^build"],
+      "inputs": ["$TURBO_DEFAULT$", "**/*.spec.ts", "**/*.test.ts"]
+    },
     "dev": {
       "cache": false,
       "persistent": true