diff --git a/.drone.star b/.drone.star
index 887edb5d4c..03852458f6 100644
--- a/.drone.star
+++ b/.drone.star
@@ -318,7 +318,8 @@ def testOcisAndUploadResults(ctx):
     scan_result_upload = uploadScanResults(ctx)
     scan_result_upload["depends_on"] = getPipelineNames([pipeline])
 
-    return [pipeline, scan_result_upload]
+    security_scan = scanOcis(ctx)
+    return [pipeline, scan_result_upload, security_scan]
 
 def testPipelines(ctx):
     pipelines = []
@@ -505,6 +506,38 @@ def testOcis(ctx):
         "volumes": [pipelineVolumeGo],
     }
 
+def scanOcis(ctx):
+    steps = skipIfUnchanged(ctx, "unit-tests") + restoreGoBinCache() + makeGoGenerate("") + [
+        {
+            "name": "govulncheck",
+            "image": OC_CI_GOLANG,
+            "commands": [
+                "make govulncheck",
+            ],
+            "environment": DRONE_HTTP_PROXY_ENV,
+            "volumes": [stepVolumeGo],
+        },
+    ]
+
+    return {
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "go-vulnerability-scanning",
+        "platform": {
+            "os": "linux",
+            "arch": "amd64",
+        },
+        "steps": steps,
+        "trigger": {
+            "ref": [
+                "refs/heads/master",
+                "refs/pull/**",
+            ],
+        },
+        "depends_on": getPipelineNames(getGoBinForTesting(ctx)),
+        "volumes": [pipelineVolumeGo],
+    }
+
 def buildOcisBinaryForTesting(ctx):
     return {
         "kind": "pipeline",