diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a6c183c..73f25dc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,7 @@ jobs:
     uses: nocoo/base-ci/.github/workflows/bun-quality.yml@v2026
     with:
       test-command: "bun run test"
-      enable-security: "false"
+      enable-security: "true"
+      osv-config: "osv-scanner.toml"
       enable-l2: "false"
     secrets: inherit
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..f2b2925
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+  '''bun\.lock''',
+  '''package-lock\.json''',
+]
diff --git a/.husky/pre-commit b/.husky/pre-commit
new file mode 100755
index 0000000..f7cd706
--- /dev/null
+++ b/.husky/pre-commit
@@ -0,0 +1,2 @@
+bun run lint
+bun run typecheck
diff --git a/.husky/pre-push b/.husky/pre-push
new file mode 100755
index 0000000..045577c
--- /dev/null
+++ b/.husky/pre-push
@@ -0,0 +1,2 @@
+bun run test
+bun run typecheck
diff --git a/bun.lock b/bun.lock
index abf22cb..314ea96 100644
--- a/bun.lock
+++ b/bun.lock
@@ -4,6 +4,9 @@
   "workspaces": {
     "": {
       "name": "flow",
+      "devDependencies": {
+        "husky": "^9.1.7",
+      },
     },
     "apps/api": {
       "name": "api",
@@ -537,6 +540,8 @@
 
     "html-escaper": ["html-escaper@2.0.2", "", {}, "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg=="],
 
+    "husky": ["husky@9.1.7", "", { "bin": { "husky": "bin.js" } }, "sha512-5gs5ytaNjBrh5Ow3zrvdUUY+0VxIuWVL4i9irt6friV+BqdCfmV11CQTWMiBYWHbXhco+J1kHfTOUkePhCDvMA=="],
+
     "ignore": ["ignore@5.3.2", "", {}, "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g=="],
 
     "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000..6a214e9
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,6 @@
+[[PackageOverrides]]
+# Add known false positives below
+# name = "example-package"
+# ecosystem = "npm"
+# ignore = true
+# reason = "false positive"
diff --git a/package.json b/package.json
index 3320a6c..e2986d4 100644
--- a/package.json
+++ b/package.json
@@ -1,17 +1,24 @@
 {
   "name": "flow",
   "private": true,
-  "workspaces": ["apps/*", "packages/*"],
+  "workspaces": [
+    "apps/*",
+    "packages/*"
+  ],
   "scripts": {
     "dev": "bun run --filter '*' dev",
     "dev:web": "bun run --filter web dev",
     "dev:api": "bun run --filter api dev",
     "lint": "bun run --filter '*' lint",
     "test": "bun run --filter '*' test",
-    "typecheck": "bun run --filter '*' typecheck"
+    "typecheck": "bun run --filter '*' typecheck",
+    "prepare": "husky"
   },
   "overrides": {
     "picomatch": "^4.0.4",
     "vite": "^8.0.5"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7"
   }
 }