diff --git a/.github/workflows/bearer.yaml b/.github/workflows/bearer.yaml
new file mode 100644
index 0000000..6ec37ee
--- /dev/null
+++ b/.github/workflows/bearer.yaml
@@ -0,0 +1,41 @@
+name: "Bearer"
+
+on:
+  workflow_call:
+    inputs:
+      diff:
+        description: 'Enable differential scanning.'
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  bearer:
+    name: Bearer Scan
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: reviewdog/action-setup@v1
+        with:
+          reviewdog_version: latest
+
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          format: rdjson
+          output: rd.json
+          diff: ${{ inputs.diff }}
+          severity: high,critical
+          skip-path: examples/
+          exit-code: 1
+
+      - name: Run reviewdog
+        if: inputs.diff == true
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index ae7c8c7..ebfe1cd 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -78,6 +78,12 @@ jobs:
     needs: tests
     uses: ./.github/workflows/codeql.yaml
 
+  bearer:
+    needs: tests
+    uses: ./.github/workflows/bearer.yaml
+    with:
+      diff: ${{ github.event_name == 'pull_request' && true || false }}
+
   regression:
     needs: tests
     uses: ./.github/workflows/regression.yaml