diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
index d0ae0bbc..00f25ce7 100644
--- a/.github/workflows/scans.yml
+++ b/.github/workflows/scans.yml
@@ -58,9 +58,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Build
-        run: go build -v ./...
-
       - name: VulnAPI
         id: vulnapi
         continue-on-error: true
@@ -97,9 +94,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Build
-        run: go build -v ./...
-
       - name: VulnAPI
         id: vulnapi
         continue-on-error: true
@@ -157,9 +151,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Build
-        run: go build -v ./...
-
       - name: VulnAPI
         id: vulnapi
         continue-on-error: true
@@ -203,9 +194,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Build
-        run: go build -v ./...
-
       - name: VulnAPI
         id: vulnapi
         continue-on-error: true
@@ -219,3 +207,53 @@ jobs:
       - name: Stop Server
         if: ${{ always() }}
         run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/apollo:latest)
+
+  run-openapi-scans:
+    name: JWT Scans
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        openapi:
+          [
+            "simple_api_key.openapi.json",
+            "simple_http_bearer_jwt.openapi.json",
+            "simple_http_bearer.openapi.json",
+          ]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Server
+        run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest
+
+      - name: Get JWT
+        id: get-jwt
+        run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT
+
+      - name: Setup Go environment
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: VulnAPI
+        id: vulnapi
+        continue-on-error: true
+        run: |
+          go run main.go scan openapi ./test/stub/${{ matrix.openapi }} --sqa-opt-out
+
+      - name: Check for vulnerabilities
+        if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }}
+        run: echo "Vulnerabilities found"
+
+      - name: Stop Server
+        if: ${{ always() }}
+        run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest)
diff --git a/test/stub/simple_api_key.openapi.json b/test/stub/simple_api_key.openapi.json
new file mode 100644
index 00000000..8c6ce301
--- /dev/null
+++ b/test/stub/simple_api_key.openapi.json
@@ -0,0 +1,39 @@
+{
+    "openapi": "3.0.2",
+    "info": {
+        "title": "API",
+        "description": "API",
+        "version": "1.0.0"
+    },
+    "servers": [
+        {
+            "url": "http://localhost:8080"
+        }
+    ],
+    "paths": {
+        "/": {
+            "get": {
+                "parameters": [],
+                "responses": {
+                    "204": {
+                        "description": "successful operation"
+                    }
+                },
+                "security": [
+                    {
+                        "api_key_auth": []
+                    }
+                ]
+            }
+        }
+    },
+    "components": {
+        "securitySchemes": {
+            "api_key_auth": {
+                "type": "http",
+                "in": "header",
+                "name": "X-API-Key"
+            }
+        }
+    }
+}
\ No newline at end of file