diff --git a/.github/workflows/platform-iac-ci.yml b/.github/workflows/platform-iac-ci.yml
index a63041a..73d206a 100644
--- a/.github/workflows/platform-iac-ci.yml
+++ b/.github/workflows/platform-iac-ci.yml
@@ -15,6 +15,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   quality-gates:
@@ -45,4 +46,23 @@ jobs:
         with:
           directory: .
           framework: cloudformation,terraform,github_actions
+          soft_fail: false
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
           quiet: true
+
+      - name: Upload Checkov SARIF report
+        if: always()
+        continue-on-error: true
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+
+      - name: Static security scan (Trivy IaC misconfigurations)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: config
+          scan-ref: applications/gitops/base
+          hide-progress: true
+          severity: CRITICAL,HIGH
+          exit-code: '1'
diff --git a/README.md b/README.md
index 81594ee..224c209 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ It is also curated as a **Platform Engineering consulting profile project** that
   - Secure-by-default guardrails and policy checks
 - Repository structure for multi-team and multi-environment operation
 - Backstage software template example for self-service service creation
-- CI pipeline for platform IaC quality gates (fmt/validate/lint/security)
+- CI pipeline for platform IaC quality gates (build/test/synth + Checkov + Trivy security scans)
 - GitOps-oriented app delivery guardrails
 - OPA/Conftest policy bundle for Kubernetes deployment security checks
 - Day-2 DX helpers via `Makefile`
diff --git a/applications/gitops/base/sample-service.yaml b/applications/gitops/base/sample-service.yaml
index dc45598..07ad346 100644
--- a/applications/gitops/base/sample-service.yaml
+++ b/applications/gitops/base/sample-service.yaml
@@ -22,6 +22,12 @@ spec:
       labels:
         app.kubernetes.io/name: sample-service
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+        runAsGroup: 101
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: app
           image: nginx:1.27.0