diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
new file mode 100644
index 000000000..a78aa46d0
--- /dev/null
+++ b/.github/workflows/cargo-audit.yml
@@ -0,0 +1,21 @@
+name: Cargo Audit
+
+on:
+  schedule:
+    - cron: "0 6 * * *"
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked --version 0.22.0
+
+      - name: Run cargo audit
+        run: cargo audit
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000..59a915478
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  schedule:
+    - cron: "0 3 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["rust"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/Cargo.lock b/Cargo.lock
index e2998cd73..4de3f2a7f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4389,6 +4389,31 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "nft_client"
+version = "1.0.0"
+dependencies = [
+ "nft_provider",
+ "primitives",
+ "reqwest",
+ "storage",
+]
+
+[[package]]
+name = "nft_provider"
+version = "1.0.0"
+dependencies = [
+ "async-trait",
+ "futures",
+ "gem_evm",
+ "primitives",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "settings",
+ "tokio",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
diff --git a/Cargo.toml b/Cargo.toml
index 7b31d3df6..055562388 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -40,6 +40,7 @@ members = [
     "crates/job_runner",
     "crates/search_index",
     "crates/nft",
+    "crates/nft_client",
     "crates/serde_serializers",
     "crates/number_formatter",
     "crates/prices_dex",
diff --git a/README.md b/README.md
index f6b7d4d90..72fe60043 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,10 @@ Run `just install` to install rust, typeshare
 
 Run API locally: `cargo run --package api`
 
+## Security Scanning
+
+Run `just audit` to execute [`cargo-audit`](https://github.com/RustSec/rustsec/tree/main/cargo-audit) across the entire workspace. The command installs `cargo-audit` if needed and reports vulnerable or unmaintained dependencies surfaced via the RustSec advisory database. Treat the warnings as action items when possible, and file follow-up issues if immediate remediation is not feasible.
+
 ## Gemstone
 
 Cross platform Rust library for iOS and Android with native async networking support.
diff --git a/justfile b/justfile
index 54efb5130..f68e6e5ac 100644
--- a/justfile
+++ b/justfile
@@ -68,6 +68,10 @@ lint:
     @cargo clippy --version
     cargo clippy -- -D warnings
 
+audit:
+    @command -v cargo-audit >/dev/null || cargo install cargo-audit --locked --version 0.22.0
+    cargo audit
+
 unused:
     cargo install cargo-machete
     cargo machete