diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml
new file mode 100644
index 00000000..f2d940b1
--- /dev/null
+++ b/.github/actions/golang/action.yaml
@@ -0,0 +1,10 @@
+name: setup-go
+description: "Setup Go binary and caching"
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      with:
+        go-version-file: './go.mod'
+        cache: true
\ No newline at end of file
diff --git a/.github/codeql.yaml b/.github/codeql.yaml
new file mode 100644
index 00000000..4287ca86
--- /dev/null
+++ b/.github/codeql.yaml
@@ -0,0 +1 @@
+#
\ No newline at end of file
diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml
new file mode 100644
index 00000000..81a08e1c
--- /dev/null
+++ b/.github/workflows/scan-codeql.yaml
@@ -0,0 +1,58 @@
+name: Scan CVEs
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - "CODEOWNERS"
+
+  schedule:
+    - cron: "32 2 * * 5"
+
+jobs:
+  scan-cves:
+    name: Scan CVEs
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          languages: ${{ matrix.language }}
+          # config-file: ./.github/codeql.yaml #Uncomment once config file is needed.
+
+      - name: Build
+        run: make build
+
+      - name: Perform CodeQL Analysis
+        id: scan
+        uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          category: "/language:${{matrix.language}}"
+
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
new file mode 100644
index 00000000..d8382877
--- /dev/null
+++ b/.github/workflows/scorecard.yaml
@@ -0,0 +1,51 @@
+name: OpenSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '40 5 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scorecard:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          sarif_file: results.sarif
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index a84fe8e8..18c9c2e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-lula
+bin/
 compliance_report-*
 out/
\ No newline at end of file
diff --git a/README.md b/README.md
index eb20d157..236743c4 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # Lula - The Kubernetes Compliance Engine
 
-lula is a tool written to bridge the gap between expected configuration required for compliance and **_actual_** configuration.
+[![Go version](https://img.shields.io/github/go-mod/go-version/defenseunicorns/lula?filename=go.mod)](https://go.dev/)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/lula/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/lula)
+
+Lula is a tool written to bridge the gap between expected configuration required for compliance and **_actual_** configuration.
 
 Cloud Native Infrastructure, Platforms, and applications can establish OSCAL documents that live beside source-of-truth code bases. Providing an inheritance model for when a control that the technology can satisfy _IS_ satisfied in a live-environment.