diff --git a/.github/workflows/web-scan.yml b/.github/workflows/web-scan.yml
new file mode 100644
index 00000000..54da7c50
--- /dev/null
+++ b/.github/workflows/web-scan.yml
@@ -0,0 +1,48 @@
+name: 'Security web scan for zot'
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    strategy:
+      matrix:
+        flavor: [zot-minimal-linux-amd64, zot-linux-amd64]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: main
+      - name: Setup
+        run: |
+          # upload images, zot can serve OCI image layouts directly like so
+          mkdir /tmp/zot
+          skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
+          # start zot
+          docker pull ghcr.io/project-zot/zot-minimal-linux-amd64:latest
+          docker run -d --name zot -v /tmp/zot:/var/lib/registry -p 8000:5000 ghcr.io/project-zot/${{ matrix.flavor }}:latest
+          # wait until service is up
+          while true; do x=0; curl -f http://$REGISTRY_HOST/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
+        env:
+          REGISTRY_HOST: localhost:8000
+      - name: ZAP Scan
+        uses: zaproxy/action-baseline@v0.7.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'owasp/zap2docker-stable'
+          target: 'http://localhost:8000'
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
diff --git a/.zap/rules.tlv b/.zap/rules.tlv
new file mode 100644
index 00000000..1a51ea30
--- /dev/null
+++ b/.zap/rules.tlv
@@ -0,0 +1 @@
+10049 IGNORE (Storable and Cacheable Content)