diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 00000000..1256462a
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,59 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    env:
+      SONAR_SCANNER_VERSION: 4.7.0.2747
+      SONAR_SERVER_URL: "https://sonarcloud.io"
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Download and set up sonar-scanner
+        env:
+          SONAR_SCANNER_DOWNLOAD_URL: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip
+        run: |
+          mkdir -p $HOME/.sonar
+          curl -sSLo $HOME/.sonar/sonar-scanner.zip ${{ env.SONAR_SCANNER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/sonar-scanner-${{ env.SONAR_SCANNER_VERSION }}-linux/bin" >> $GITHUB_PATH
+      - name: Download and set up build-wrapper
+        env:
+          BUILD_WRAPPER_DOWNLOAD_URL: ${{ env.SONAR_SERVER_URL }}/static/cpp/build-wrapper-linux-x86.zip
+        run: |
+          curl -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip ${{ env.BUILD_WRAPPER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/build-wrapper-linux-x86" >> $GITHUB_PATH
+      - name: Run build-wrapper
+        run: |
+          mkdir v8build
+          cd v8build
+          wget https://github.com/MultiChain/multichain-binaries/raw/master/linux-v8.tar.gz
+          tar -xf linux-v8.tar.gz
+          cd ..
+          sudo apt-get install -y software-properties-common
+          sudo apt-get install -y build-essential libtool autotools-dev automake pkg-config libssl-dev git
+          sudo apt-get -y install libdb++-dev
+          sudo apt-get -y install libboost-all-dev
+          ./autogen.sh
+          # configure: error: Found Berkeley DB other than 4.8, required for portable wallets (--with-incompatible-bdb to ignore or --disable-wallet to disable wallet functionality)
+          ./configure --with-incompatible-bdb
+          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make          
+      - name: Run sonar-scanner
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
\ No newline at end of file
diff --git a/README.md b/README.md
index 56e8ce8a..342d6204 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 MultiChain
 ==========
 
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=cetic_multichain&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=cetic_multichain)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=cetic_multichain&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=cetic_multichain)
+
 [MultiChain](http://www.multichain.com/) is an open source platform for private blockchains, which offers a rich set of features including extensive configurability, rapid deployment, permissions management, native assets and data streams. Although it is designed to enable private blockchains, MultiChain provides maximal compatibility with the bitcoin ecosystem, including the peer-to-peer protocol, transaction/block formats and [Bitcoin Core](https://bitcoin.org/en/bitcoin-core/) APIs/runtime parameters.
 
     Copyright (c) 2014-2019 Coin Sciences Ltd
diff --git a/security/README.md b/security/README.md
new file mode 100644
index 00000000..c6ad5909
--- /dev/null
+++ b/security/README.md
@@ -0,0 +1,36 @@
+# Security
+
+## 1. SonarCloud - Static Code Analysis
+
+A [SonarCloud](https://sonarcloud.io/) analysis has been run against a fork of the [MultiChain](https://github.com/MultiChain/multichain) repo inside a [Github Action](/.github/workflows/main.yml).
+
+![Sonarcloud - Summary](img/sonar_summary.png)
+
+### 1.1. Vulnerabilities
+
+The scan identified 1 vulnerability occuring 3 times in [src/wallet/crypter.cpp](/src/wallet/crypter.cpp), [RSPEC-5542](https://rules.sonarsource.com/c/RSPEC-5542)
+
+![SonarCloud - Vulnerabilities](img/sonar_vulnerabilities.png)
+
+### 1.2. Security Hotspots
+
+The security review identified 451 security hotspots:
+
+#### "High" in the "Buffer Overflow" category:
+
+* [cpp:S5801](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5801&rule_key=cpp%3AS5801): Using "strcpy" or "wcscpy" is security-sensitive
+* [cpp:S5816](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5816&rule_key=cpp%3AS5816): Using "strncpy" or "wcsncpy" is security-sensitive
+* [cpp:S6069](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS6069&rule_key=cpp%3AS6069): "sprintf" should not be used
+* [cpp:S5813](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5813&rule_key=cpp%3AS5813): Using "strlen" or "wcslen" is security-sensitive
+
+![SonarCloud - Security hotspots](img/sonar_securityhotspot.png)
+
+#### "Medium" - Permissions:
+![SonarCloud - Security hotspots](img/sonar_securityhotspot_med_perms.png)
+
+
+#### "Medium" - Weak Cryptography:
+![SonarCloud - Security hotspots](img/sonar_securityhotspot_med.png)
+
+
+Full results are available at https://sonarcloud.io/project/configuration?id=cetic_multichain&analysisMode=GitHubActions 
diff --git a/security/img/sonar_securityhotspot.png b/security/img/sonar_securityhotspot.png
new file mode 100644
index 00000000..f78359c9
Binary files /dev/null and b/security/img/sonar_securityhotspot.png differ
diff --git a/security/img/sonar_securityhotspot_med.png b/security/img/sonar_securityhotspot_med.png
new file mode 100644
index 00000000..623a8ce3
Binary files /dev/null and b/security/img/sonar_securityhotspot_med.png differ
diff --git a/security/img/sonar_securityhotspot_med_perms.png b/security/img/sonar_securityhotspot_med_perms.png
new file mode 100644
index 00000000..e47e44bf
Binary files /dev/null and b/security/img/sonar_securityhotspot_med_perms.png differ
diff --git a/security/img/sonar_summary.png b/security/img/sonar_summary.png
new file mode 100644
index 00000000..0277396a
Binary files /dev/null and b/security/img/sonar_summary.png differ
diff --git a/security/img/sonar_vulnerabilities.png b/security/img/sonar_vulnerabilities.png
new file mode 100644
index 00000000..76563614
Binary files /dev/null and b/security/img/sonar_vulnerabilities.png differ
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 00000000..2693f60f
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,12 @@
+sonar.projectKey=cetic_multichain
+sonar.organization=cetic
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=multichain
+#sonar.projectVersion=1.0
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8
\ No newline at end of file