diff --git a/.github/workflows/zap-api-scan.yaml b/.github/workflows/zap-api-scan.yaml
new file mode 100644
index 0000000..6bb1126
--- /dev/null
+++ b/.github/workflows/zap-api-scan.yaml
@@ -0,0 +1,29 @@
+name: ZAP API scan
+
+on:
+  workflow_call:
+    inputs:
+      service_apispec_url:
+        type: string
+        required: true
+    secrets:
+      ACTIONS_TOKEN:
+        required: true
+
+jobs:
+  zap_scan:
+    runs-on: [self-hosted, common]
+    name: API scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: ZAP API Scan
+        uses: zaproxy/action-api-scan@v0.7.0
+        with:
+          token: ${{ secrets.ACTIONS_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          format: openapi
+          target: '${{ inputs.service_apispec_url }}'
+          fail_action: true
+          allow_issue_writing: false
\ No newline at end of file
diff --git a/.github/workflows/zap-baseline-scan.yaml b/.github/workflows/zap-baseline-scan.yaml
new file mode 100644
index 0000000..ebb3181
--- /dev/null
+++ b/.github/workflows/zap-baseline-scan.yaml
@@ -0,0 +1,29 @@
+name: ZAP Baseline scan
+
+on:
+  workflow_call:
+    inputs:
+      service_url:
+        type: string
+        required: true
+    secrets:
+      ACTIONS_TOKEN:
+        required: true
+
+jobs:
+  zap_scan:
+    runs-on: [self-hosted, common]
+    name: Baseline scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: ZAP Baseline Scan
+        uses: zaproxy/action-baseline@v0.12.0
+        with:
+          token: ${{ secrets.ACTIONS_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          format: openapi
+          target: '${{ inputs.service_url }}'
+          fail_action: true
+          allow_issue_writing: true
\ No newline at end of file