diff --git a/nyx-scan/action.yml b/nyx-scan/action.yml
new file mode 100644
index 0000000..610bbaa
--- /dev/null
+++ b/nyx-scan/action.yml
@@ -0,0 +1,67 @@
+name: NYX Security Scan
+description: Runs NYX SAST scanner and posts findings as PR comment
+runs:
+  using: composite
+  steps:
+    - name: Clone nyx from Forgejo mirror
+      shell: bash
+      run: |
+        git clone --depth=1 --branch master \
+          "https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
+          .nyx-src
+
+    - name: Install Rust
+      shell: bash
+      run: |
+        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+        echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+    - name: Build nyx from source
+      shell: bash
+      run: |
+        cd .nyx-src
+        cargo build --release
+
+    - name: Run NYX scan
+      id: nyx
+      shell: bash
+      run: |
+        .nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
+      continue-on-error: true
+
+    - name: Post findings as PR comment
+      if: steps.nyx.outcome == 'failure'
+      shell: bash
+      run: |
+        FINDINGS=$(python3 -c "
+        import json, sys
+
+        with open('nyx-results.sarif') as f:
+            data = json.load(f)
+
+        results = data.get('runs', [{}])[0].get('results', [])
+
+        lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
+        for r in results:
+            level = r.get('level', '?')
+            msg = r.get('message', {}).get('text', '?')
+            rule = r.get('ruleId', '?')
+            loc = r.get('locations', [{}])[0].get('physicalLocation', {})
+            path = loc.get('artifactLocation', {}).get('uri', '?')
+            line = loc.get('region', {}).get('startLine', '?')
+            col  = loc.get('region', {}).get('startColumn', '?')
+            lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
+
+        print('\n'.join(lines))
+        ")
+
+        curl -sf -X POST \
+          -H "Authorization: token ${{ inputs.token }}" \
+          -H "Content-Type: application/json" \
+          "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+          -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
+
+    - name: Fail if HIGH or above findings found
+      if: steps.nyx.outcome == 'failure'
+      shell: bash
+      run: exit 1
\ No newline at end of file