diff --git a/.github/workflows/run-tests.yml b/.github/workflows/_run-tests.yml
similarity index 76%
rename from .github/workflows/run-tests.yml
rename to .github/workflows/_run-tests.yml
index 709eda9..1a1f172 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/_run-tests.yml
@@ -1,7 +1,6 @@
 name: Run tests and static build
 
 on:
-  pull_request:
   workflow_call:
   workflow_dispatch:
 
@@ -9,7 +8,15 @@ permissions:
   contents: read
 
 jobs:
-  run-tests:
+  detect-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+      - name: Detect secrets
+        uses: alphagov/pay-ci/actions/detect-secrets@master
+
+  tests:
     name: Unit tests and static build
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..8b61c54
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,15 @@
+name: PR
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    uses: ./.github/workflows/_run-tests.yml
+
+  dependency-review:
+    name: Dependency Review scan
+    uses: alphagov/pay-ci/.github/workflows/_run-dependency-review.yml@master
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index fbf41e5..df29ed9 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   run-tests:
     name: Unit tests and static build
-    uses: ./.github/workflows/run-tests.yml
+    uses: ./.github/workflows/_run-tests.yml
   static:
     name:  Deploy and release Pay product pages
     needs: run-tests