diff --git a/.gitea/workflows/bandit.yml b/.gitea/workflows/bandit.yml
new file mode 100644
index 0000000..36d634e
--- /dev/null
+++ b/.gitea/workflows/bandit.yml
@@ -0,0 +1,17 @@
+---
+name: Bandit
+on: [push]
+
+
+# XXX need to do stuff with uv
+jobs:
+  build:
+    runs-on: freebsd
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Analyse code with Bandit
+        run: |
+          bandit -r .
diff --git a/.gitea/workflows/pip-audit.yml b/.gitea/workflows/pip-audit.yml
new file mode 100644
index 0000000..b713cda
--- /dev/null
+++ b/.gitea/workflows/pip-audit.yml
@@ -0,0 +1,23 @@
+---
+name: pip-audit
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday
+
+# XXX need to do stuff with uv
+jobs:
+  build:
+    runs-on: freebsd
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check vulnerable components with pip-audit
+        run: |
+          pip-audit .
+