diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
new file mode 100644
index 000000000..5ed4c7d1a
--- /dev/null
+++ b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,47 @@
+# https://go.dev/security/vuln
+name: govulncheck
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
+jobs:
+  vulnerabilities:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Install Go and produce a SARIF report. This fails only when the tool is
+      # unable to scan.
+      - uses: golang/govulncheck-action@v1
+        with:
+          output-format: 'sarif'
+          output-file: 'govulncheck-results.sarif'
+          repo-checkout: false
+
+      # Submit the SARIF report to GitHub code scanning. Pull request checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      # TODO: https://go.dev/issue/70157
+      - if: ${{ false }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'govulncheck-results.sarif'
+
+      # Print any detected vulnerabilities to the workflow log. This step fails
+      # when the tool detects a vulnerability in code that is called.
+      # - https://go.dev/blog/govulncheck
+      - uses: golang/govulncheck-action@v1
+        with:
+          repo-checkout: false