diff --git a/.busted b/.busted
index 74bfc4b..1d16239 100644
--- a/.busted
+++ b/.busted
@@ -1,10 +1,23 @@
+local current_folder = debug.getinfo(1).source:match("@?(.*/)"):sub(1, -2)
+
 return {
   _all = {
+    ROOT = {current_folder .. "/spec"},
     verbose = false,
+    ["coverage-config-file"] = current_folder .. "/.luacov",
+  },
+  default = {
     coverage = false,
     output = "gtest",
+    ["exclude-tags"] = "postgres",
   },
   ci = {
+    coverage = true,
+    output = "junit",
     ["exclude-tags"] = "postgres",
   },
+  ci_postgresql = {
+    output = "junit",
+    coverage = true,
+  },
 }
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..dd3f909
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,30 @@
+name: Lint
+
+on: [push, pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  lua-check:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Lua Check
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    - name: Lua Check
+      uses: Kong/public-shared-actions/code-check-actions/lua-lint@0ccacffed804d85da3f938a1b78c12831935f992 # v2.8.0
+      with:
+        additional_args: '--no-default-config --config .luacheckrc'
+        action_fail: true
+        print_results: true
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
new file mode 100644
index 0000000..6b25c1e
--- /dev/null
+++ b/.github/workflows/sast.yml
@@ -0,0 +1,28 @@
+name: SAST
+
+on:
+  pull_request: {}
+  push:
+    branches:
+    - master
+    - main
+  workflow_dispatch: {}
+
+
+jobs:
+  semgrep:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Kong/public-shared-actions/security-actions/semgrep@33449c46c6766a3d3c8f167cc383381225862b36
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 0000000..429e1cb
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,29 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+  tests:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Busted Tests
+
+    runs-on: ubuntu-24.04
+    permissions:
+      checks: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@main
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Run tests
+        run: make test-unit-ci DOCKER_RUN_FLAGS_TTY=''
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        if: always()
+        with:
+          files: |
+            test-results/**/*.xml
+            test-results/**/*.trx
+            test-results/**/*.json
diff --git a/.gitignore b/.gitignore
index d6fc268..131fcfe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,9 @@ luacov.report.out
 /lua_modules/
 /.luarocks
 
+# LuaCov and Busted test results
+/test-results/
+
 /.docker/
 
 # Local folder for scratch files
diff --git a/.luacov b/.luacov
index 07c19d8..04770a0 100644
--- a/.luacov
+++ b/.luacov
@@ -2,6 +2,6 @@ include = {
    "%/kong%-plugin%/kong%/.+$",
 }
 
-statsfile = "/kong-plugin/luacov.stats.out"
-reportfile = "/kong-plugin/luacov.report.out"
+statsfile = "/kong-plugin/test-results/luacov.stats.out"
+reportfile = "/kong-plugin/test-results/luacov.report.out"
 runreport = true
diff --git a/BACKLOG.md b/BACKLOG.md
index 4514ac9..dd84c9f 100644
--- a/BACKLOG.md
+++ b/BACKLOG.md
@@ -14,3 +14,4 @@
 ## Cleanup
 
 - [ ] The OpenFGA store id in the sqlite database is fixed. Make it dynamic when loading the data.
+- [ ] Test with PostgreSQL as database backend.
diff --git a/Makefile b/Makefile
index bc61594..a5440cc 100644
--- a/Makefile
+++ b/Makefile
@@ -20,15 +20,17 @@ _docker_is_podman = $(shell $(DOCKER) --version | grep podman 2>/dev/null)
 # - set username/UID to executor
 DOCKER_USER ?= $$(id -u)
 DOCKER_USER_OPT = $(if $(_docker_is_podman),--userns keep-id,--user $(DOCKER_USER))
-DOCKER_RUN_FLAGS ?= --rm --interactive --tty $(DOCKER_USER_OPT)
+DOCKER_RUN_FLAGS_TTY ?= --tty
+DOCKER_RUN_FLAGS ?= --rm --interactive $(DOCKER_RUN_FLAGS_TTY) $(DOCKER_USER_OPT)
 
 DOCKER_NO_CACHE :=
 
 BUILDKIT_PROGRESS :=
 
+BUSTED_RUN_PROFILE := default
 BUSTED_FILTER :=
 
-BUSTED_ARGS = --config-file /kong-plugin/.busted --run ci --filter '$(BUSTED_FILTER)'
+BUSTED_ARGS = --config-file /kong-plugin/.busted --run '$(BUSTED_RUN_PROFILE)' --filter '$(BUSTED_FILTER)'
 ifdef BUSTED_NO_KEEP_GOING
 	BUSTED_ARGS += --no-keep-going
 endif
@@ -180,6 +182,9 @@ $(ROCKSPEC_FILE): kong-plugin.rockspec
 $(ROCK_FILE): container-ci-kong-tooling $(ROCKSPEC_FILE) $(PLUGIN_FILES)
 	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd /kong-plugin; luarocks make --pack-binary-rock --deps-mode none $(ROCKSPEC_FILE))'
 
+test-results:
+	mkdir -p test-results
+
 .PHONY: tail-logs
 tail-logs:
 	tail -F servroot/logs/*.log | grep --line-buffered --color '\[\($(KONG_PLUGIN_NAME)\|dns-client\|kong\)\]\|$$'
@@ -254,7 +259,7 @@ stop-services: stop-service-redis stop-service-openfga stop-service-postgres
 
 .PHONY: lint
 lint: container-ci-kong-tooling
-	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd /kong-plugin; luacheck .)'
+	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd /kong-plugin; luacheck --no-default-config --config .luacheckrc .)'
 
 .PHONY: format-code
 format-code: container-ci-kong-tooling
@@ -262,7 +267,13 @@ format-code: container-ci-kong-tooling
 
 .PHONY: test-unit
 test-unit: container-ci-kong-tooling clean-servroot service-openfga
-	$(CONTAINER_CI_KONG_TOOLING_RUN) busted $(BUSTED_ARGS) /kong-plugin/spec
+	$(CONTAINER_CI_KONG_TOOLING_RUN) busted $(BUSTED_ARGS)
+
+.PHONY: test-unit-ci
+test-unit-ci: BUSTED_RUN_PROFILE = 'ci'
+test-unit-ci: clean-test-results test-results container-ci-kong-tooling clean-servroot service-openfga
+	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c "(busted $(BUSTED_ARGS) | awk '/<testsuites/{flag=1}flag' | tee /kong-plugin/test-results/busted.junit.xml)"
+
 
 .PHONY: tooling-shell
 tooling-shell: container-ci-kong-tooling
@@ -287,6 +298,10 @@ lua-language-server-add-kong: container-ci-kong-tooling
 	$(CONTAINER_CI_KONG_TOOLING_RUN) cp -r /usr/local/share/lua/5.1/. /kong-plugin/.luarocks
 	$(CONTAINER_CI_KONG_TOOLING_RUN) cp -r /kong /kong-plugin/.luarocks
 
+.PHONY: clean-test-results
+clean-test-results:
+	-$(RMDIR) test-results
+
 .PHONY: clean-servroot
 clean-servroot:
 	-$(RMDIR) $(SERVROOT_PATH)
@@ -328,6 +343,7 @@ clean-container-smoke-test-network:
 	-$(DOCKER) network rm '$(CONTAINER_CI_NETWORK_NAME)'
 
 .PHONY: clean
+clean: clean-test-results
 clean: clean-rock clean-rockspec
 clean: clean-servroot
 clean: clean-container-ci-kong-tooling clean-container-ci-kong-smoke-test clean-container-smoke-test-network