diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
new file mode 100644
index 0000000000..20770c8ad9
--- /dev/null
+++ b/.github/workflows/security-scan.yaml
@@ -0,0 +1,17 @@
+name: Security scan
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - hotfix/*
+      - work/secscan  # For development
+
+jobs:
+  python-scans:
+    name: Scan Python project
+    uses: canonical/starflow/.github/workflows/scan-python.yaml@main
+    with:
+      packages: python-apt-dev
+      osv-extra-args: '--config=source/osv-scanner.toml'
+      trivy-extra-args: '--severity HIGH,CRITICAL --ignore-unfixed --skip-dirs "tests/spread/**"'
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000000..17da2fac14
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,4 @@
+[[IgnoredVulns]]
+id = "CVE-2024-35195"
+ignoreUntil = "2025-01-01T00:00:00Z"
+reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2"
diff --git a/requirements-devel.txt b/requirements-devel.txt
index 2660b4f900..37f48f4751 100644
--- a/requirements-devel.txt
+++ b/requirements-devel.txt
@@ -199,5 +199,5 @@ yamllint==1.35.1
 zipp==3.20.2
 zope.deprecation==5.0
 zope.interface==7.0.3
-python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux"
+python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux"
 pyinstaller==5.13.2; sys.platform == "win32"
diff --git a/requirements-docs.txt b/requirements-docs.txt
index 787942bceb..1504cc4323 100644
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@@ -147,4 +147,4 @@ websockets==12.0
 wheel==0.44.0
 ws4py==0.5.1
 zipp==3.20.2
-python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux"
+python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux"
diff --git a/requirements.txt b/requirements.txt
index 638d3ddb58..75e74f446c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -78,4 +78,4 @@ wadllib==1.3.6
 wheel==0.44.0
 ws4py==0.5.1
 zipp==3.20.2
-python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux"
+python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux"
diff --git a/tools/freeze-requirements.sh b/tools/freeze-requirements.sh
index 22723c420a..5f086892ee 100755
--- a/tools/freeze-requirements.sh
+++ b/tools/freeze-requirements.sh
@@ -5,7 +5,7 @@ requirements_fixups() {
 
   # Python apt library pinned to source.
   sed -i '/python-apt=*/d' "$req_file"
-  echo 'python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux"' >> "$req_file"
+  echo 'python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux"' >> "$req_file"
 
   # https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1635463
   sed -i '/pkg[-_]resources==0.0.0/d' "$req_file"