diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml
new file mode 100644
index 0000000000..fe775576e5
--- /dev/null
+++ b/.github/workflows/vulnerability_scan.yml
@@ -0,0 +1,34 @@
+name: Vulnerability scan
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    strategy:
+      # We don't want to run all jobs in parallel, because this would
+      # overload NVD and we would get 503
+      max-parallel: 1
+      matrix:
+        # References/branches which should be scanned for vulnerabilities are
+        # defined in the VULNERABILITY_SCAN_REFS variable as json list.
+        # For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
+        ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
+    name: Vulnerability scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+          ref: ${{ matrix.ref }}
+
+      - name: Vulnerability scan
+        env:
+          SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
+          NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
+        uses: espressif/esp-idf-sbom-action@master
+        with:
+          ref: ${{ matrix.ref }}