diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..0526edc
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,30 @@
+name: Lint
+
+on: [push, pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  lua-check:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Lua Check
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    - name: Lua Check
+      uses: Kong/public-shared-actions/code-check-actions/lua-lint@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.3.3
+      with:
+        additional_args: '--no-default-config --config .luacheckrc'
+        action_fail: true
+        print_results: true
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
new file mode 100644
index 0000000..6b25c1e
--- /dev/null
+++ b/.github/workflows/sast.yml
@@ -0,0 +1,28 @@
+name: SAST
+
+on:
+  pull_request: {}
+  push:
+    branches:
+    - master
+    - main
+  workflow_dispatch: {}
+
+
+jobs:
+  semgrep:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Kong/public-shared-actions/security-actions/semgrep@33449c46c6766a3d3c8f167cc383381225862b36
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 0000000..e149cba
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,18 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+  tests:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Busted Tests
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@main
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Run tests
+        run: make test-unit DOCKER_RUN_FLAGS_TTY=''
diff --git a/Makefile b/Makefile
index bc61594..2de1f17 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,8 @@ _docker_is_podman = $(shell $(DOCKER) --version | grep podman 2>/dev/null)
 # - set username/UID to executor
 DOCKER_USER ?= $$(id -u)
 DOCKER_USER_OPT = $(if $(_docker_is_podman),--userns keep-id,--user $(DOCKER_USER))
-DOCKER_RUN_FLAGS ?= --rm --interactive --tty $(DOCKER_USER_OPT)
+DOCKER_RUN_FLAGS_TTY ?= --tty
+DOCKER_RUN_FLAGS ?= --rm --interactive $(DOCKER_RUN_FLAGS_TTY) $(DOCKER_USER_OPT)
 
 DOCKER_NO_CACHE :=
 
@@ -254,7 +255,7 @@ stop-services: stop-service-redis stop-service-openfga stop-service-postgres
 
 .PHONY: lint
 lint: container-ci-kong-tooling
-	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd /kong-plugin; luacheck .)'
+	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd /kong-plugin; luacheck --no-default-config --config .luacheckrc .)'
 
 .PHONY: format-code
 format-code: container-ci-kong-tooling