diff --git a/.circleci/config.yml b/.circleci/config.yml
index e657fbe..fefe86c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -112,6 +112,7 @@ jobs:
       - run:
           name: shared-helper / npm-store-auth-token
           command: .circleci/shared-helpers/helper-npm-store-auth-token
+      - run: npx snyk monitor --org=customer-products --project-name=Financial-Times/kmt-header
       - run:
           name: shared-helper / npm-version-and-publish-public
           command: .circleci/shared-helpers/helper-npm-version-and-publish-public
diff --git a/.snyk b/.snyk
new file mode 100644
index 0000000..861428b
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,4 @@
+# Snyk (https://snyk.io) policy file, which patches or ignores known vulnerabilities.
+version: v1.13.5
+ignore: {}
+patch: {}
diff --git a/package.json b/package.json
index f09454b..e03d1fd 100644
--- a/package.json
+++ b/package.json
@@ -22,11 +22,13 @@
     "npm-prepublish": "^1.2.3",
     "origami-build-tools": "^6.2.5",
     "pa11y-ci": "^2.1.1",
-    "sass-lint": "^1.12.1"
+    "sass-lint": "^1.12.1",
+    "snyk": "^1.167.2"
   },
   "scripts": {
     "precommit": "node_modules/.bin/secret-squirrel",
     "commitmsg": "node_modules/.bin/secret-squirrel-commitmsg",
-    "prepush": "make verify -j3"
+    "prepush": "make verify -j3",
+    "prepare": "npx snyk protect || npx snyk protect -d || true"
   }
 }