diff --git a/.changelog/11956.txt b/.changelog/11956.txt
new file mode 100644
index 0000000000..716a6f1ae6
--- /dev/null
+++ b/.changelog/11956.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ci: Enable security scanning for CRT
+```
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5b8666bfcd..a6069e1058 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,9 +3,9 @@ name: build
 on:
   push:
     # Sequence of patterns matched against refs/heads
-    branches: [
-      "main"
-    ]
+    branches:
+      # Push events on the main branch
+      - main
 
 env:
   PKG_NAME: consul
diff --git a/.release/ci.hcl b/.release/ci.hcl
index b248590b83..bf4a2144f3 100644
--- a/.release/ci.hcl
+++ b/.release/ci.hcl
@@ -42,8 +42,36 @@ event "upload-dev" {
   }
 }
 
-event "notarize-darwin-amd64" {
+event "security-scan-binaries" {
   depends = ["upload-dev"]
+  action "security-scan-binaries" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-binaries"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "security-scan-containers" {
+  depends = ["security-scan-binaries"]
+  action "security-scan-containers" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-containers"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "notarize-darwin-amd64" {
+  depends = ["security-scan-containers"]
   action "notarize-darwin-amd64" {
     organization = "hashicorp"
     repository = "crt-workflows-common"
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
new file mode 100644
index 0000000000..6a2a57b8b8
--- /dev/null
+++ b/.release/security-scan.hcl
@@ -0,0 +1,19 @@
+container {
+	dependencies = true
+	alpine_secdb = true
+	
+	secrets {
+		all = true
+	}
+}
+
+binary {
+	go_modules   = true
+	osv          = true
+	oss_index    = true
+	nvd          = true
+
+	secrets {
+		all = true
+	}
+}
diff --git a/Dockerfile b/Dockerfile
index 8d5931e91c..1c9e4f6986 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # This Dockerfile creates a production release image for the project using crt release flow.
-FROM alpine:3.13 as  default
+FROM alpine:3 as  default
 
 ARG VERSION
 ARG BIN_NAME