diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
new file mode 100644
index 0000000..d37fb3b
--- /dev/null
+++ b/.github/workflows/check.yml
@@ -0,0 +1,25 @@
+name: Check
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  check:
+    uses: wetransform/gha-workflows/.github/workflows/gradle-library.yml@master
+    with:
+      gradle-tasks: ''
+      java-version: 17
+      notify-failure: false
+      skip-build: true # only do scan, build takes long and often failing
+      expect-tests: false
+      submodules: 'recursive'
+
+      # work around issue with new Zip validation in recent Java updates
+      # for info see https://github.com/iBotPeaches/Apktool/issues/3174
+      java-options: '-Djdk.util.zip.disableZip64ExtraFieldValidation=true'
+
+      # rename lockfile so trivy picks it up
+      pre-build-command: mv gradle/dependency-locks/platform.lockfile gradle/dependency-locks/platform-gradle.lockfile
+    secrets: inherit
diff --git a/build.gradle b/build.gradle
index d51c154..bb98678 100644
--- a/build.gradle
+++ b/build.gradle
@@ -212,6 +212,9 @@ configurations {
 				details.useTarget "com.hierynomus:sshj:${details.requested.version}"
 			}
 		}
+
+		// activate dependency locking for generating a lockfile for security scanning
+		resolutionStrategy.activateDependencyLocking()
 	}
 }