diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5b3d937..61c2774 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,6 +51,15 @@ jobs:
           node-version: 22
           cache: pnpm
       - run: pnpm install --frozen-lockfile
+      - name: Socket supply-chain scan
+        if: github.event_name == 'pull_request'
+        run: |
+          if git diff --name-only origin/${{ github.base_ref }}...HEAD \
+              | grep -qE '(^|/)package\.json$|(^|/)pnpm-lock\.yaml$'; then
+            npx --yes socket-cli@latest scan .
+          else
+            echo "No package.json or pnpm-lock.yaml changes — skipping Socket scan."
+          fi
       - run: pnpm typecheck
       - run: pnpm lint
       - run: pnpm conformance