diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 640beac..25889ec 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -310,3 +310,74 @@ jobs:
             $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
             echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
           done
+
+  vuln-scan:
+    name: Harbor Vulnerability Scan
+    runs-on: ubuntu-latest
+    needs: [build-push]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    container:
+      image: python:3.11-slim
+
+    steps:
+      - name: Setup
+        run: |
+          apt-get update -qq && apt-get install -yqq --no-install-recommends git curl >/dev/null
+
+      - name: Fetch harbor-ctl
+        run: |
+          curl -sL "https://git.mymx.me/username/harbor/raw/branch/master/harbor-ctl.py" -o harbor-ctl.py
+          chmod +x harbor-ctl.py
+
+      - name: Trigger and wait for scan
+        env:
+          HARBOR_USER: ${{ secrets.HARBOR_USER }}
+          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
+        run: |
+          if [ -z "$HARBOR_USER" ] || [ -z "$HARBOR_PASS" ]; then
+            echo "::warning::Harbor credentials not configured - skipping scan"
+            exit 0
+          fi
+
+          echo "Triggering vulnerability scan..."
+          python harbor-ctl.py --url https://harbor.mymx.me \
+            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
+            scan library flaskpaste --wait --timeout 180
+
+      - name: Check for critical vulnerabilities
+        env:
+          HARBOR_USER: ${{ secrets.HARBOR_USER }}
+          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
+        run: |
+          if [ -z "$HARBOR_USER" ]; then exit 0; fi
+
+          echo "Checking for fixable critical/high vulnerabilities..."
+
+          # Get vulnerability report
+          python harbor-ctl.py --url https://harbor.mymx.me \
+            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
+            vulns library flaskpaste -s critical -l 100 > /tmp/critical.txt 2>&1 || true
+
+          python harbor-ctl.py --url https://harbor.mymx.me \
+            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
+            vulns library flaskpaste -s high -l 100 > /tmp/high.txt 2>&1 || true
+
+          # Check for fixable vulns (have a "Fixed" version that's not "N/A")
+          CRITICAL_FIXABLE=$(grep -v "N/A *$" /tmp/critical.txt | grep -c "^CVE\|^GHSA" || echo 0)
+          HIGH_FIXABLE=$(grep -v "N/A *$" /tmp/high.txt | grep -c "^CVE\|^GHSA" || echo 0)
+
+          echo "Critical fixable: $CRITICAL_FIXABLE"
+          echo "High fixable: $HIGH_FIXABLE"
+
+          if [ "$CRITICAL_FIXABLE" -gt 0 ]; then
+            echo "::error::Found $CRITICAL_FIXABLE fixable critical vulnerabilities"
+            cat /tmp/critical.txt
+            exit 1
+          fi
+
+          if [ "$HIGH_FIXABLE" -gt 0 ]; then
+            echo "::warning::Found $HIGH_FIXABLE fixable high vulnerabilities"
+            cat /tmp/high.txt
+          fi
+
+          echo "Vulnerability scan passed"