diff --git a/.github/workflows/test-tfsec.yml b/.github/workflows/test-tfsec.yml
new file mode 100644
index 000000000..c1c6d6e23
--- /dev/null
+++ b/.github/workflows/test-tfsec.yml
@@ -0,0 +1,42 @@
+name: Terraform security scanner
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "**.tf"
+  pull_request:
+    paths:
+      - "**.tf"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  tfsec:
+    name: tfsec
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: tfsec
+        uses: aquasecurity/tfsec-pr-commenter-action@1015a3975c7f1400ee4d9f423a7786a3df9fcbec
+        with:
+          tfsec_formats: default,text
+          tfsec_args: --force-all-dirs
+          github_token: ${{ github.token }}
+
+      - name: tfsec summary
+        shell: bash
+        run: cat results.text |  tail -n 27 >> $GITHUB_STEP_SUMMARY