diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 128e0bae8c5..c52a83f93e7 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -102,10 +102,29 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
         fail_ci_if_error: true
         files: ./cover.out
+  vuln-check:
+    name: Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run govulncheck
+        id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod
+          go-package: ./...
+          output-format: sarif
+          output-file: govulncheck.sarif
+      - name: Upload SARIF to GitHub Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: govulncheck.sarif
   trigger-beekeeper:
     name: Trigger Beekeeper
     runs-on: ubuntu-latest
-    needs: [test, lint, coverage]
+    needs: [test, lint, coverage, vuln-check]
     if: github.ref == 'refs/heads/master'
     steps:
     - name: Checkout
diff --git a/Makefile b/Makefile
index 4e5fcefef98..3fb9b56d89f 100644
--- a/Makefile
+++ b/Makefile
@@ -91,6 +91,14 @@ lint: linter
 linter:
 	test -f $(GOLANGCI_LINT) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$($(GO) env GOPATH)/bin $(GOLANGCI_LINT_VERSION)
 
+.PHONY: install-govulncheck
+install-govulncheck:
+	@command -v govulncheck >/dev/null 2>&1 || go install golang.org/x/vuln/cmd/govulncheck@latest
+
+.PHONY: govulncheck
+govulncheck: install-govulncheck binary
+	govulncheck -mode=binary ./dist/bee
+
 .PHONY: check-whitespace
 check-whitespace:
 	TREE=$$(git hash-object -t tree /dev/null); \