diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b388949..87b1967 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -66,3 +66,29 @@ jobs:
         with:
           sarif_file: devskim-results.sarif
           category: devskim
+
+  snyk:
+    name: snyk
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install -g snyk
+      - run: snyk auth ${{ secrets.SNYK_TOKEN }}
+      - run: snyk monitor --all-projects
+      - run: snyk code test $(realpath src) --sarif > snyk-results.sarif || true
+      - run: |
+          jq '(.. | select(type == "object" and .artifactLocation and .artifactLocation.uri) | .artifactLocation.uri) |= "src/" + .' snyk-results.sarif > snyk-results.sarif.tmp
+          mv snyk-results.sarif.tmp snyk-results.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk-results.sarif
+          category: snyk
diff --git a/.gitignore b/.gitignore
index f4cbe12..94325b0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@ node_modules
 dist
 *.log
 *.tgz
+.dccache
+*.sarif