diff --git a/.github/workflows/terraform-validate.yml b/.github/workflows/terraform-validate.yml
index 0225cbd..d86a687 100644
--- a/.github/workflows/terraform-validate.yml
+++ b/.github/workflows/terraform-validate.yml
@@ -8,17 +8,17 @@ on:
 
 jobs:
 
-  terraform:
-    name: 'OpenTofu'
+  tofu-terraform-validate:
+    name: 'OpenTofu+Checkov'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./tf-bootstrap
-        
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-
+        uses: actions/checkout@v4
+        
       - name: Setup OpenTofu
         uses: opentofu/setup-opentofu@v1
         with:
@@ -32,3 +32,16 @@ jobs:
 
       - name: OpenTofu Validate
         run: tofu validate
+
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+
+      - name: Test with Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./tf-bootstrap
+          framework: terraform
+          skip_check: CKV_GIT_6
diff --git a/tf-bootstrap/main.tf b/tf-bootstrap/main.tf
index 66b4837..8b8e114 100644
--- a/tf-bootstrap/main.tf
+++ b/tf-bootstrap/main.tf
@@ -34,6 +34,26 @@ resource "github_repository" "this" {
   description = var.github_repository
   visibility  = "private"
   auto_init   = true # This is extremely important as flux_bootstrap_git will not work without a repository that has been initialised
+
+  # Enable vulnerability alerts
+  vulnerability_alerts = true
+}
+resource "github_branch_protection" "main" {
+  repository_id = github_repository.this.node_id
+  pattern       = "main"
+
+  required_status_checks {
+    strict   = true
+    contexts = ["validate"]
+  }
+
+  enforce_admins = true
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    require_code_owner_reviews      = true
+    required_approving_review_count = 2 # Updated to 2 approvals
+  }
 }
 
 # ==========================================