diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..9c8c6d0
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,192 @@
+stages:
+  - test
+  - build
+  - security
+  - deploy
+
+variables:
+  BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
+  DOCKER_DRIVER: overlay2
+  DOCKER_TLS_CERTDIR: ""
+
+cache:
+  key: "${CI_COMMIT_REF_SLUG}"
+  paths:
+    - .cache/pip
+    - .cache/trivy
+  policy: pull-push
+
+image: docker:28.0
+
+services:
+  - docker:28.0-dind
+
+.trivy-fs-template: &trivy-fs-scan
+  stage: security
+  image: aquasec/trivy:latest
+  variables:
+    TRIVY_CACHE_DIR: .cache/trivy
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_TIMEOUT: "10m0s"
+  cache:
+    paths:
+      - $TRIVY_CACHE_DIR
+    policy: pull-push
+  before_script:
+    - mkdir -p $TRIVY_CACHE_DIR
+  script:
+    - trivy fs --format cyclonedx --output fs-sbom.json . || true
+    - trivy fs --format sarif --output gl-sast-fs-report.json . || true
+  allow_failure: true
+  artifacts:
+    reports:
+      sast: gl-sast-fs-report.json
+    paths:
+      - fs-sbom.json
+      - gl-sast-fs-report.json
+    expire_in: 1 week
+    when: always
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $SAST_DISABLED
+      when: never
+
+.trivy-image-template: &trivy-image-scan
+  stage: security
+  image: aquasec/trivy:latest
+  variables:
+    TRIVY_CACHE_DIR: .cache/trivy
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_TIMEOUT: "10m0s"
+  cache:
+    paths:
+      - $TRIVY_CACHE_DIR
+    policy: pull-push
+  before_script:
+    - mkdir -p $TRIVY_CACHE_DIR
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  script:
+    - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true
+    - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true
+  allow_failure: true
+  artifacts:
+    reports:
+      sast: gl-sast-image-${IMAGE_TYPE}-report.json
+    paths:
+      - image-sbom-${IMAGE_TYPE}.json
+      - gl-sast-image-${IMAGE_TYPE}-report.json
+    expire_in: 1 week
+    when: always
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $SAST_DISABLED
+      when: never
+
+.webhook-template: &webhook-config
+  stage: deploy
+  image: curlimages/curl:latest
+  script:
+    - |
+      curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
+        -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
+        "$WEBHOOK_URL"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: on_success
+
+.build-template: &build-config
+  stage: build
+  image: docker:28.0
+  services:
+    - docker:28.0-dind
+  variables:
+    DOCKER_BUILDKIT: 1
+    BUILDKIT_INLINE_CACHE: 1
+  before_script:
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  script:
+    - |
+      docker buildx create --use
+      docker buildx build . \
+        -t $IMAGE_NAME:latest \
+        -t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
+        -t $IMAGE_NAME:$CI_COMMIT_SHA \
+        -f $CONTAINERFILE --target $BUILDTARGET --push \
+        --cache-from type=registry,ref=$IMAGE_NAME-cache \
+        --cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
+        --build-arg BUILDKIT_INLINE_CACHE=1
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: always
+    - if: $CI_COMMIT_TAG
+      when: always
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      when: manual
+      allow_failure: true
+
+sast-filesystem:
+  <<: *trivy-fs-scan
+
+sast-image-runtime:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+    IMAGE_TYPE: runtime
+  dependencies:
+    - build-runtime
+
+sast-image-tests:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+    IMAGE_TYPE: tests
+  dependencies:
+    - build-tests
+
+sast-image-migrations:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+    IMAGE_TYPE: migrations
+  dependencies:
+    - build-migrations
+
+build-runtime:
+  <<: *build-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+    CONTAINERFILE: Containerfile
+    BUILDTARGET: runtime
+
+build-tests:
+  <<: *build-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+    CONTAINERFILE: Containerfile
+    BUILDTARGET: tests
+
+build-migrations:
+  <<: *build-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+    CONTAINERFILE: Containerfile
+    BUILDTARGET: migrations
+
+webhook-backend-deploy:
+  <<: *webhook-config
+  variables:
+    WEBHOOK_URL: "https://paas.itqdev.xyz/api/v1/deploy?uuid=gokokwkwkgg8o4gggow00cc8&force=false&tag=$CI_COMMIT_REF_SLUG"
+  dependencies:
+    - build-runtime
+
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG