diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml
index fda212f05..316b57a4c 100644
--- a/.github/workflows/automated-pr-validator.yml
+++ b/.github/workflows/automated-pr-validator.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   sbom_scan:
     name: SBOM Repo Scan
@@ -53,13 +55,13 @@ jobs:
             })
 
             const botComment = comments.find(comment => {
-              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+              return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found')
             })
 
             // 2. Prepare format of the comment
-            const output = `### Code security issues found
+            const output = `### SBOM issues found
 
-            View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
+            View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3AGrype).`;
 
             // 3. If we have a comment, update it, otherwise create a new one
             if (botComment) {
@@ -91,7 +93,7 @@ jobs:
             })
 
             const botComment = comments.find(comment => {
-              return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
+              return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found')
             })
 
             // 2. If we have a comment, update it, otherwise create a new one
@@ -120,3 +122,93 @@ jobs:
           BRANCH_NAME=${{ github.event.repository.default_branch }}
           chmod +x scripts/markdown-validator.sh
           scripts/markdown-validator.sh
+
+  checkov:
+    name: Checkov Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      pull-requests: write # To add/delete the PR comment
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Checkov Scan
+        uses: bridgecrewio/checkov-action@master
+        with:
+          quiet: true
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          skip_check: CKV_AWS_144,CKV_AZURE_1
+          # CKV_AWS_144 = Ensure that S3 bucket has cross-region replication enabled | Not required as we only use eu-west-2
+          # CKV_AZURE_1 = Example check to skip - can be deleted once another check is skipped
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v4
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
+
+      - name: Add/Update Checkov failure comment
+        uses: actions/github-script@v8
+        if: always() && failure()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found')
+            })
+
+            // 2. Prepare format of the comment
+            const output = `### Checkov issues found
+            View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3Acheckov).`;
+
+            // 3. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output
+              })
+            }
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Delete Checkov failure comment
+        uses: actions/github-script@v8
+        if: always() && success()
+        with:
+          script: |
+            // 1. Retrieve existing bot comments for the PR
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found')
+            })
+
+            // 2. If we have a comment, update it, otherwise create a new one
+            if (botComment) {
+              github.rest.issues.deleteComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id
+              })
+            }