diff --git a/.github/workflows/base-orchestrator.yaml b/.github/workflows/base-orchestrator.yaml
index 1bd4d5c..648bb77 100644
--- a/.github/workflows/base-orchestrator.yaml
+++ b/.github/workflows/base-orchestrator.yaml
@@ -17,4 +17,12 @@ jobs:
     uses: ./.github/workflows/verify-gitignore.yaml
     secrets:
       GH_TOKEN: ${{ secrets.GH_REPO_PAT }}
-      # gitignore verify secrets
\ No newline at end of file
+      # gitignore verify secrets
+  trigger-patchhound-scan:
+    if: always()
+    uses: ./.github/workflows/patchhound-scan.yaml
+    secrets:
+      BASE_URL: ${{ secrets.BASE_URL }}
+      ALERT_WEBHOOK: ${{ secrets.ALERT_WEBHOOK }}
+      TOKEN: ${{ secrets.TOKEN }}
+      # PatchHound secrets
diff --git a/.github/workflows/patchhound-scan.yaml b/.github/workflows/patchhound-scan.yaml
new file mode 100644
index 0000000..8b82d11
--- /dev/null
+++ b/.github/workflows/patchhound-scan.yaml
@@ -0,0 +1,42 @@
+name: PatchHound Pipeline
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      BASE_URL:
+        required: true
+      ALERT_WEBHOOK:
+        required: true
+      TOKEN:
+        required: true
+
+jobs:
+  security-check:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/bblue530/patchhound_cli:latest
+    env:
+      BASE_URL: ${{ secrets.BASE_URL }}
+      ALERT_WEBHOOK: ${{ secrets.ALERT_WEBHOOK }}
+      TOKEN: ${{ secrets.TOKEN }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: PatchHound scan
+        run: |
+          patchhound scan --token "$TOKEN" --set-config BASE_URL "$BASE_URL" ALERT_WEBHOOK "$ALERT_WEBHOOK"
+
+      - name: Upload vulnerability summary
+        uses: actions/upload-artifact@v4
+        with:
+          name: vulnerability-summary
+          path: |
+            summary.md
+            sbom.cyclonedx.json
+            vulns.cyclonedx.json
+            prio_vulns.json
+            sast_report.json
+            trivy_report.json
+            path_to_resources_token.txt
\ No newline at end of file