diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 000000000..992292119
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,70 @@
+name: Scan latest app and container
+on:
+  push:
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build container image
+        run: docker build container --tag dangerzone.rocks/dangerzone:latest
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan container image (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_container
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_container.outputs.sarif }}
+          category: container
+      - name: Inspect container scan report
+        run: cat ${{ steps.scan_container.outputs.sarif }}
+      - name: Scan container image
+        uses: anchore/scan-action@v3
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan application (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_app
+        with:
+          path: "."
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_app.outputs.sarif }}
+          category: app
+      - name: Inspect application scan report
+        run: cat ${{ steps.scan_app.outputs.sarif }}
+      - name: Scan application
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml
new file mode 100644
index 000000000..052d744f9
--- /dev/null
+++ b/.github/workflows/scan_released.yml
@@ -0,0 +1,77 @@
+name: Scan released app and container
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+
+jobs:
+  security-scan-container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Download container image for the latest release
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+      - name: Load container image
+        run: docker load -i container.tar.gz
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan container image (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_container
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload container scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_container.outputs.sarif }}
+          category: container
+      - name: Inspect container scan report
+        run: cat ${{ steps.scan_container.outputs.sarif }}
+      - name: Scan container image
+        uses: anchore/scan-action@v3
+        with:
+          image: "dangerzone.rocks/dangerzone:latest"
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
+
+  security-scan-app:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Checkout the latest released tag
+        run: |
+          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
+          git checkout $VERSION
+      # NOTE: Scan first without failing, else we won't be able to read the scan
+      # report.
+      - name: Scan application (no fail)
+        uses: anchore/scan-action@v3
+        id: scan_app
+        with:
+          path: "."
+          fail-build: false
+          only-fixed: true
+          severity-cutoff: critical
+      - name: Upload application scan report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan_app.outputs.sarif }}
+          category: app
+      - name: Inspect application scan report
+        run: cat ${{ steps.scan_app.outputs.sarif }}
+      - name: Scan application
+        uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true
+          only-fixed: true
+          severity-cutoff: critical
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e38600b2..73abee5b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased]
 
+### Security
+
+- Continuously scan our Python dependencies and container image for
+  vulnerabilities ([issue #222](https://github.com/freedomofpress/dangerzone/issues/222))
+
 ## Dangerzone 0.4.1
 
 ### Added