diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml
index 1ce07ed..c714cfd 100644
--- a/.gitea/workflows/security.yaml
+++ b/.gitea/workflows/security.yaml
@@ -2,9 +2,15 @@ name: Security
 
 on:
   pull_request:
+    branches:
+      - main
+      - testing
+      - "v*"
   push:
     branches:
-      - "**"
+      - main
+      - testing
+      - "v*"
   workflow_dispatch:
 
 permissions:
@@ -181,6 +187,8 @@ jobs:
               "Authorization": f"token {token}",
               "Content-Type": "application/json",
           }
+          vulnerability_label_name = "vulnerability"
+          vulnerability_label_id = None
 
           def load_json(path, fallback):
               try:
@@ -203,11 +211,47 @@ jobs:
                   issues = json.load(response)
               return any(issue.get("title") == title for issue in issues)
 
+          def ensure_vulnerability_label():
+              global vulnerability_label_id
+
+              if vulnerability_label_id is not None:
+                  return vulnerability_label_id
+
+              labels_url = f"{api_url}/repos/{urllib.parse.quote(owner)}/{urllib.parse.quote(name)}/labels"
+
+              request = urllib.request.Request(labels_url, headers=headers)
+              with urllib.request.urlopen(request, timeout=30) as response:
+                  labels = json.load(response)
+
+              for label in labels:
+                  if label.get("name") == vulnerability_label_name:
+                      vulnerability_label_id = label.get("id")
+                      return vulnerability_label_id
+
+              payload = json.dumps({
+                  "name": vulnerability_label_name,
+                  "color": "d73a4a",
+                  "description": "Security vulnerability found by automated scans",
+                  "exclusive": False,
+                  "is_archived": False,
+              }).encode("utf-8")
+              request = urllib.request.Request(labels_url, data=payload, headers=headers, method="POST")
+              with urllib.request.urlopen(request, timeout=30) as response:
+                  created = json.load(response)
+
+              vulnerability_label_id = created.get("id")
+              return vulnerability_label_id
+
           def create_issue(title, body):
               if find_existing(title):
                   print(f"Open issue already exists: {title}")
                   return
-              payload = json.dumps({"title": title, "body": body}).encode("utf-8")
+              label_id = ensure_vulnerability_label()
+              payload = json.dumps({
+                  "title": title,
+                  "body": body,
+                  "labels": [label_id] if label_id is not None else [],
+              }).encode("utf-8")
               request = urllib.request.Request(issues_url, data=payload, headers=headers, method="POST")
               with urllib.request.urlopen(request, timeout=30) as response:
                   created = json.load(response)