diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml
index a66e1708..49feb9cc 100644
--- a/.github/workflows/aws-template-terraform.yml
+++ b/.github/workflows/aws-template-terraform.yml
@@ -1,4 +1,4 @@
-name: AWS Bootstrap Workflow
+name: AWS Template Workflow
 
 on:
   workflow_call:
@@ -52,6 +52,23 @@ jobs:
           done < files.txt
           echo "infra_changed=$infra_changed" >> "$GITHUB_OUTPUT"
 
+  scan:
+    name: Scan TF Code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608
+        with:
+          working_directory: ${{ inputs.CONTEXT_FOLDER }}
+          sarif_file: tfsec.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tfsec.sarif
+    needs: [check_changes]
+
   deploy_infra:
     name: Deploy Infra
     runs-on: ubuntu-latest
@@ -62,7 +79,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }}
       TF_VAR_kms_key_name: ${{ vars.KMS_KEY_NAME }}
       TF_VAR_vpc_id: ${{ vars.VPC_ID }}
-    needs: [check_changes]
+    needs: [scan]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml
index c8b37f00..37eb0d9b 100644
--- a/.github/workflows/deploy-infra-dev.yml
+++ b/.github/workflows/deploy-infra-dev.yml
@@ -1,14 +1,32 @@
-name: Deploy AWS Infra to Dev
+name: Publish Infra
 
 on:
+  # PR targeting master is created or new commits are pushed
+  push:
+    branches:
+      - master
+    paths:
+      - "infrastructure/**"
+
+  # Manual trigger via GH Actions UI
   workflow_dispatch:
+    inputs:
+      environment:
+        description: "Select target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - test
+          - prod
 
 jobs:
-  infrastructure_deploy_dev:
+  deploy:
     uses: ./.github/workflows/aws-template-terraform.yml
     with:
-      CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev
-      CHANGE_FOLDER_NAME: environments/dev
-      ENVIRONMENT_NAME: dev
+      CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment }}"
+      CHANGE_FOLDER_NAME: environments/${{ inputs.environment }}
+      ENVIRONMENT_NAME: ${{ inputs.environment }}
       TEST_BUCKET_NAME: jasper-test-bucket
     secrets: inherit