diff --git a/.gitea/workflows/python-security-checks.yml b/.gitea/workflows/python-security-checks.yml
new file mode 100644
index 0000000..de5243a
--- /dev/null
+++ b/.gitea/workflows/python-security-checks.yml
@@ -0,0 +1,35 @@
+name: Reusable Python Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      python_version:
+        type: string
+        default: "3.14"
+      install_command:
+        type: string
+        default: 'python -m pip install "bandit[toml]"'
+      security_command:
+        type: string
+        default: "python -m bandit -r app -c pyproject.toml"
+      working_directory:
+        type: string
+        default: "."
+
+jobs:
+  security:
+    runs-on: docker
+    container:
+      image: python:${{ inputs.python_version }}-slim
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install security tools
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.install_command }}
+
+      - name: Run security scan
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.security_command }}