From dc7b1d66a6d4c3bf36862103943ec50ffd7a9ee1 Mon Sep 17 00:00:00 2001
From: saperi <saperi@paypal.com>
Date: Tue, 21 Apr 2026 13:17:50 -0700
Subject: [PATCH] add security.yml

---
 .github/workflows/security.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000..7d8187b9
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,24 @@
+name: Security
+# Slack: #help-product-security
+
+permissions:
+  contents: write         # Needed by both CodeQL and dependency review
+  pull-requests: write    # Needed by dependency review
+  statuses: write         # Needed by dependency review (to post checks)
+  security-events: write  # Needed by CodeQL to upload SARIF
+  packages: read          # Needed by CodeQL for private/internal packs
+  actions: read           # Needed by CodeQL to access internal actions
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  code-scanning:
+    uses: braintree/security-workflows/.github/workflows/codeql-android.yml@main
+
+  dependency-review:
+    uses: braintree/security-workflows/.github/workflows/dependency-review-gradle.yml@main