diff --git a/.github/workflows/scan-provider-agents.yaml b/.github/workflows/scan-provider-agents.yaml
new file mode 100644
index 0000000..5197e2b
--- /dev/null
+++ b/.github/workflows/scan-provider-agents.yaml
@@ -0,0 +1,73 @@
+name: scan-provider-agents
+
+on:
+  pull_request:
+    paths:
+      - 'cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c'
+      - 'cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c'
+  workflow_dispatch: {}
+
+jobs:
+  scan-provider-agents:
+
+    name: Scan ${{ matrix.provider-agent.file }}
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        provider-agent:
+          - dir: cvmassistants/secretprovider/secret-provider-agent/src
+            file: secret_provider_agent.c
+          - dir: cvmassistants/keyprovider/key-provider-agent/src
+            file: key_provider_agent.c
+      
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install cppcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cppcheck
+
+      - name: Check if file changed
+        id: changed
+        uses: tj-actions/changed-files@v47
+        with:
+          files: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }}
+      
+      # correct using: clang-format -style=llvm -i ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }}
+      - name: clang-format scan ${{ matrix.provider-agent.file }}
+        if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
+        uses: DoozyX/clang-format-lint-action@v0.18.2
+        with:
+          source: ${{ matrix.provider-agent.dir }}/${{ matrix.provider-agent.file }}
+          style: llvm
+          inplace: False
+
+      - name: cppcheck scan ${{ matrix.provider-agent.file }} 
+        if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
+        working-directory: ${{ matrix.provider-agent.dir }}
+        run: |
+          cppcheck --enable=all --suppress=missingIncludeSystem --xml --output-file=report.xml ${{ matrix.provider-agent.file }}
+
+      - name: Convert cppcheck XML → SARIF
+        if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
+        uses: Flast/cppcheck-sarif@v2
+        with:
+          input: ${{ matrix.provider-agent.dir }}/report.xml
+          output: ${{ matrix.provider-agent.dir }}/report.sarif
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: steps.changed.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ matrix.provider-agent.dir }}/report.sarif
+          category: cppcheck