diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 917a751c..06d70157 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -331,6 +331,24 @@ shellcheck:
         hooks/pre-commit
         tests/run-tests
 
+# Run pip-audit, check for known vulnerabilities in python dependencies
+pip-audit:
+  stage: lint
+  image: debian:13-slim
+  script:
+    - apt update -yyq
+    - apt upgrade -yyq
+    - apt install -yyq --no-install-recommends python3 python3-venv
+    - python3 -m venv env
+    - . env/bin/activate
+    - python3 -m ensurepip
+    - python3 -m pip install --upgrade pip
+    - python3 -m pip install pip-audit
+    # always print long-form json output
+    - python3 -m pip_audit -f json | python3 -m json.tool --indent=2 || true
+    # then print human readable summary
+    - python3 -m pip_audit
+
 # Check all the dependencies in Debian to mirror production.  CVEs are
 # generally fixed in the latest versions in pip/pypi.org, so it isn't
 # so important to scan that kind of install in CI.