diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 40080df..5c45e95 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
   test-nginx:
     strategy:
        matrix:
-         version: [1.26.2, 1.27.1]
+         version: [1.26.2, 1.27.1, 1.28.2]
        fail-fast: false
     runs-on: "ubuntu-20.04"
 
diff --git a/.github/workflows/pr-security.yaml b/.github/workflows/pr-security.yaml
new file mode 100644
index 0000000..708a53b
--- /dev/null
+++ b/.github/workflows/pr-security.yaml
@@ -0,0 +1,32 @@
+---
+# onemedical/<repo>/.github/workflows/pr-security.yaml
+#
+# This is the workflow for distribution to repositories across the organization.
+# It will call the reusable PR security workflow, and run scans against each PR.
+name: PR Security
+
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches: [main, master]
+
+
+permissions:
+  # Required for workflows in private repositories.
+  contents: read
+
+  # Required for SARIF results upload to GHAS.
+  security-events: write
+  actions: read
+
+
+jobs:
+  # Run the reusable workflow.
+  run-workflow:
+    name: Run Workflow
+    # yamllint disable-line rule:line-length
+    uses: onemedical/github-reusable-workflows/.github/workflows/reusable-pr-security.yaml@main
+    # The detect-secrets tool is used in some repositories, and generates false
+    # positives like the one below. Add comment to ignore.
+    secrets: inherit  # pragma: allowlist secret