diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
index 6ea0408f..e41eb9ef 100644
--- a/.ci/pipeline_definitions
+++ b/.ci/pipeline_definitions
@@ -34,6 +34,13 @@ gardener-extension-registry-cache:
         attribute: global.image.tag
 
   base_definition:
+    repo:
+      source_labels:
+      - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
+        value:
+          policy: skip
+          comment: |
+            We use gosec for sast scanning, see attached log.
     traits:
       version:
         preprocess: 'inject-commit-hash'
@@ -79,6 +86,16 @@ gardener-extension-registry-cache:
           nextversion: 'bump_minor'
           next_version_callback: '.ci/prepare_release'
           release_callback: '.ci/prepare_release'
+          assets:
+          - type: build-step-log
+            step_name: verify
+            purposes:
+            - lint
+            - sast
+            - gosec
+            comment: |
+              We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.
+              Enabled by https://github.com/gardener/gardener-extension-registry-cache/pull/272
         slack:
           default_channel: 'internal_scp_workspace'
           channel_cfgs:
diff --git a/.gitignore b/.gitignore
index 9695f1b4..8d7a518e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,6 @@ TODO
 .go-version
 
 /gardener
+
+# gosec
+gosec-report.sarif
\ No newline at end of file
diff --git a/Makefile b/Makefile
index ffceda6b..cee29e35 100644
--- a/Makefile
+++ b/Makefile
@@ -90,6 +90,14 @@ generate-in-docker:
 format: $(GOIMPORTS) $(GOIMPORTSREVISER)
 	@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test
 
+.PHONY: sast
+sast: $(GOSEC)
+	@bash $(GARDENER_HACK_DIR)/sast.sh --exclude-dirs hack,gardener
+
+.PHONY: sast-report
+sast-report: $(GOSEC)
+	@bash $(GARDENER_HACK_DIR)/sast.sh --exclude-dirs hack,gardener --gosec-report true
+
 .PHONY: test
 test:
 	@bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/...
@@ -103,10 +111,10 @@ test-clean:
 	@bash $(GARDENER_HACK_DIR)/test-cover-clean.sh
 
 .PHONY: verify
-verify: check format test
+verify: check format test sast
 
 .PHONY: verify-extended
-verify-extended: check-generate check format test-cov test-clean
+verify-extended: check-generate check format test-cov test-clean sast-report
 
 test-e2e-local: $(GINKGO)
 	./hack/test-e2e-local.sh --procs=$(PARALLEL_E2E_TESTS) ./test/e2e/...