diff --git a/.github/workflows/build-test-analyse.yml b/.github/workflows/build-test-analyse.yml
new file mode 100644
index 0000000..56c7eac
--- /dev/null
+++ b/.github/workflows/build-test-analyse.yml
@@ -0,0 +1,42 @@
+name: Build, Test & Analyse
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build-and-test-java-app:
+    name: Build & Test Java App
+    uses: DNAstack/dnastack-development-tools/.github/workflows/build-test-java-app.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 21
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  sast:
+    name: SAST (SonarQube)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sast.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      with-frontend: false
+      java-version: 21
+      code-coverage-enabled: true
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+      sonar-token: ${{ secrets.SONAR_TOKEN }}
+      sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
+
+  sca:
+    name: SCA (Trivy)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sca.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 21
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  secrets-detection:
+    name: Secrets Detection (Gitleaks)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/secrets-detection.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    secrets:
+      gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
diff --git a/.github/workflows/java-tests.yml b/.github/workflows/java-tests.yml
deleted file mode 100644
index 4f88ec9..0000000
--- a/.github/workflows/java-tests.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: Java Tests
-
-on:
-  pull_request:
-    branches: [ master, main ]
-  push:
-    branches: [ master, main ]
-
-jobs:
-  test:
-    name: Run Java Tests
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-
-      - name: Set up JDK 21
-        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5
-        with:
-          java-version: '21'
-          distribution: 'temurin'
-          cache: 'maven'
-
-      - name: Run tests
-        run: mvn clean test
-
-      - name: Publish test results
-        uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2
-        if: always()
-        with:
-          files: |
-            **/target/surefire-reports/*.xml
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..36bc270
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,15 @@
+# Gitleaks configuration — controls secret scanning behavior.
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+# Use the default detection rules.
+[extend]
+  useDefault = true
+
+# Exclude build artifacts and dependency directories from scanning.
+[[allowlists]]
+  description = "exclude build artifacts and dependency directories"
+  paths = [
+    '''target/''',
+    '''node_modules/''',
+    '''node_installation/''',
+  ]
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..c06921a
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,6 @@
+# Gitleaks ignore file — suppresses known/accepted secret findings.
+# Each line is a fingerprint from gitleaks output. New secrets in the same
+# files will still be caught — only these specific findings are suppressed.
+#
+# To add a new entry: run `gitleaks detect --source . --no-git -v`,
+# copy the Fingerprint line, and add it here with a comment explaining why.
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..07b9388
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,16 @@
+# Trivy ignore file for known/accepted vulnerabilities.
+# See: https://trivy.dev/docs/configuration/filtering/#trivyignoreyaml
+#
+# Format:
+#   vulnerabilities:
+#     - id: CVE-XXXX-XXXXX
+#       reason: "Why this is acceptable"
+#       expired_at: 2026-XX-XXT00:00:00Z
+
+vulnerabilities:
+  - id: CVE-2026-34483
+    reason: "Transitive via Spring Boot 3.5.13 parent (pins tomcat 10.1.53; fix in 10.1.54). Affects Tomcat's JsonAccessLogValve — not configured. Resolves when Spring Boot 3.5.14+ bumps tomcat."
+    expired_at: 2026-10-18T00:00:00Z
+  - id: CVE-2026-34487
+    reason: "Transitive via Spring Boot 3.5.13 parent (pins tomcat 10.1.53; fix in 10.1.54). Affects Tomcat access-log logging of sensitive data — no access log valve configured. Resolves when Spring Boot 3.5.14+ bumps tomcat."
+    expired_at: 2026-10-18T00:00:00Z
diff --git a/pom.xml b/pom.xml
index 0284f86..9184f97 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.5.6</version>
+    <version>3.5.13</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
 
@@ -61,6 +61,9 @@
     <dnastack-token-validator.version>1.0.18</dnastack-token-validator.version>
     <audit-event-logger.version>1.0.20</audit-event-logger.version>
     <oauth-client-factory.version>1.0.5</oauth-client-factory.version>
+    <!-- Pin Jackson to 2.18.x: dnastack-oauth-client-factory-spring-starter 1.0.5 uses
+         removed-in-2.19 PropertyNamingStrategy.SNAKE_CASE API. Remove when bumping the lib. -->
+    <jackson-bom.version>2.18.6</jackson-bom.version>
     <!-- Other -->
     <spring-cloud.version>2021.0.9</spring-cloud.version>
     <jdbi.version>3.49.5</jdbi.version>