diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
new file mode 100644
index 0000000..e0d7322
--- /dev/null
+++ b/.github/workflows/snyk.yml
@@ -0,0 +1,71 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'   # Weekly on Monday 06:00 UTC
+
+jobs:
+  snyk-backend:
+    name: Python vulnerabilities (backend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install backend dependencies
+        run: pip install -r backend/requirements-lock.txt
+
+      - name: Snyk — scan Python packages
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=backend/requirements-lock.txt --severity-threshold=high
+        continue-on-error: true   # report without blocking CI during initial cleanup
+
+  snyk-frontend:
+    name: npm vulnerabilities (frontend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install frontend dependencies
+        run: npm ci
+        working-directory: frontend
+
+      - name: Snyk — scan npm packages
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=frontend/package.json --severity-threshold=high
+        continue-on-error: true
+
+  snyk-docker-backend:
+    name: Docker image vulnerabilities (backend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build backend image for scanning
+        run: docker build -t aegis-backend:scan backend/
+
+      - name: Snyk — scan Docker image
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: aegis-backend:scan
+          args: --severity-threshold=high
+        continue-on-error: true
diff --git a/backend/requirements-lock.txt b/backend/requirements-lock.txt
new file mode 100644
index 0000000..1691b59
--- /dev/null
+++ b/backend/requirements-lock.txt
@@ -0,0 +1,83 @@
+# Auto-generated from pip freeze on 2026-06-12
+# Exact versions installed in production — used by Snyk for accurate CVE scanning.
+# Regenerate with: docker compose exec backend pip freeze > backend/requirements-lock.txt
+alembic==1.18.4
+annotated-types==0.7.0
+anyio==4.13.0
+APScheduler==3.11.2
+atlassian-python-api==4.0.7
+bcrypt==4.0.1
+beautifulsoup4==4.15.0
+boto3==1.43.27
+botocore==1.43.27
+brotli==1.2.0
+certifi==2026.5.20
+cffi==2.0.0
+charset-normalizer==3.4.7
+click==8.4.1
+cssselect2==0.9.0
+defusedxml==0.7.1
+Deprecated==1.3.1
+docxtpl==0.20.2
+fastapi==0.136.3
+fonttools==4.63.0
+greenlet==3.5.1
+h11==0.16.0
+httpcore==1.0.9
+httptools==0.8.0
+httpx==0.28.1
+idna==3.18
+isodate==0.7.2
+Jinja2==3.1.6
+jmespath==1.1.0
+limits==5.8.0
+lxml==6.1.1
+Mako==1.3.12
+MarkupSafe==3.0.3
+oauthlib==3.3.1
+packaging==26.2
+passlib==1.7.4
+pillow==12.2.0
+psycopg2-binary==2.9.12
+pycparser==3.0
+pydantic==2.13.4
+pydantic-settings==2.14.1
+pydantic_core==2.46.4
+pydyf==0.12.1
+PyJWT==2.13.0
+pyphen==0.17.2
+python-dateutil==2.9.0.post0
+python-docx==1.2.0
+python-dotenv==1.2.2
+python-multipart==0.0.32
+python3-saml==1.16.0
+pytz==2026.2
+PyYAML==6.0.3
+redis==8.0.0
+requests==2.34.2
+requests-oauthlib==2.0.0
+s3transfer==0.18.0
+six==1.17.0
+slowapi==0.1.9
+sortedcontainers==2.4.0
+soupsieve==2.8.4
+SQLAlchemy==2.0.50
+starlette==1.3.0
+taxii2-client==2.3.0
+tempo-api-python-client==0.12.0
+tinycss2==1.5.1
+tinyhtml5==2.1.0
+toml==0.10.2
+typing-inspection==0.4.2
+typing_extensions==4.15.0
+tzlocal==5.3.1
+urllib3==2.7.0
+uvicorn==0.49.0
+uvloop==0.22.1
+watchfiles==1.2.0
+weasyprint==69.0
+webencodings==0.5.1
+websockets==16.0
+wrapt==2.2.1
+xmlsec==1.3.17
+zopfli==0.4.3