diff --git a/cookiecutter.json b/cookiecutter.json
index e498ade..aee2691 100644
--- a/cookiecutter.json
+++ b/cookiecutter.json
@@ -16,6 +16,7 @@
     "use_allauth": "n",
     "allauth_trust_external_emails": "y",
     "allauth_providers": "google",
+    "vulnerabilities_scanning": "y",
     "sentry_dsn": "",
     "csp_enabled": "n",
     "csp_report_only": "y",
diff --git a/{{cookiecutter.repostory_name}}/.gitignore b/{{cookiecutter.repostory_name}}/.gitignore
index 9c56f64..e8f2296 100644
--- a/{{cookiecutter.repostory_name}}/.gitignore
+++ b/{{cookiecutter.repostory_name}}/.gitignore
@@ -8,6 +8,7 @@
 /db/
 /letsencrypt/
 .env
+.vuln.env
 .venv
 venv
 media/
diff --git a/{{cookiecutter.repostory_name}}/README_AWS.md b/{{cookiecutter.repostory_name}}/README_AWS.md
index b5f2de8..825d9d0 100644
--- a/{{cookiecutter.repostory_name}}/README_AWS.md
+++ b/{{cookiecutter.repostory_name}}/README_AWS.md
@@ -122,12 +122,16 @@ The same goes for AMI built by packer.
 
 Cloud init is configured to provision EC2 machines spun up as part of this project's infrastructure.
 As part of this provisioning, SSM parameters following a specific name convention are read and saved as files in EC2's home directory (RDS access details are managed in another way).
+SSM parameters can be managed via AWS console (Systems Manager -> Parameter Store) or via AWS CLI (`aws ssm`).
 The naming convention is `/application/{{ cookiecutter.aws_project_name }}/{env}/{path_of_the_file_to_be_created}`, for example `/application/project/staging/.env`.
 A few such parameters are managed by terraform in this project (e.g. `.env`, `docker-compose.yml`) and more can be added.
 In case you need to add confidential files (like a GCP credentials file) you can simply create appropriate SSM parameters.
 These will only be accessible to people that access to AWS or EC2 machines, not to people who have access to this repository.
 One such parameter, namely `/application/{{ cookiecutter.aws_project_name }}/{env}/secret.env` is treated specially - if it exists (it doesn't by default) its contents are appended to `.env` during EC2 machine provisioning - this is a convenient way of supplying pieces of confidential information, like external systems' access keys to `.env`.
 
+## Vulnerability scanning
+If you set up your project with `vulnerabilities_scanning` enabled, you need to create an additional SSM parameter with the name `/application/{{ cookiecutter.aws_project_name }}/{env}/.vuln.env` containing environment variables required by [vulnrelay](https://github.com/reef-technologies/vulnrelay) prior to deploying the project. Look at the `/envs/prod/.vuln.env.template` file to see the expected file format.
+
 ## Deploying apps
 
 The docker containers are built with code you have locally, including any changes.
diff --git a/{{cookiecutter.repostory_name}}/devops/tf/main/files/docker-compose.yml b/{{cookiecutter.repostory_name}}/devops/tf/main/files/docker-compose.yml
index b4de98e..1176afb 100644
--- a/{{cookiecutter.repostory_name}}/devops/tf/main/files/docker-compose.yml
+++ b/{{cookiecutter.repostory_name}}/devops/tf/main/files/docker-compose.yml
@@ -101,6 +101,21 @@ services:
     extra_hosts:
       - "host.docker.internal:host-gateway"
     {% endif %}
+  {% if cookiecutter.vulnerabilities_scanning == 'y' %}
+  vulnrelay:
+    image: 'ghcr.io/reef-technologies/vulnrelay:latest'
+    restart: unless-stopped
+    env_file: ./.vuln.env
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    logging:
+      driver: awslogs
+      options:
+        awslogs-region: ${region}
+        awslogs-group: /aws/ec2/${name}-${env}
+        tag: '$${INSTANCE_ID_SUBST}-vulnrelay'
+        awslogs-create-group: "true"
+  {% endif %}
 
 volumes:
   backend-static:
diff --git a/{{cookiecutter.repostory_name}}/envs/prod/.vuln.env.template b/{{cookiecutter.repostory_name}}/envs/prod/.vuln.env.template
new file mode 100644
index 0000000..ac02987
--- /dev/null
+++ b/{{cookiecutter.repostory_name}}/envs/prod/.vuln.env.template
@@ -0,0 +1,5 @@
+ENV=prod
+DD_URL=
+DD_API_KEY=
+DD_PRODUCT=
+SENTRY_DSN=
diff --git a/{{cookiecutter.repostory_name}}/envs/prod/docker-compose.yml b/{{cookiecutter.repostory_name}}/envs/prod/docker-compose.yml
index 4af322d..aeedf28 100644
--- a/{{cookiecutter.repostory_name}}/envs/prod/docker-compose.yml
+++ b/{{cookiecutter.repostory_name}}/envs/prod/docker-compose.yml
@@ -216,6 +216,16 @@ services:
     logging:
       <<: *logging
   {% endif %}
+  {% if cookiecutter.vulnerabilities_scanning == 'y' %}
+  vulnrelay:
+    image: 'ghcr.io/reef-technologies/vulnrelay:latest'
+    restart: unless-stopped
+    env_file: ./.vuln.env
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    logging:
+      <<: *logging
+  {% endif %}
 
 volumes:
   backend-static:
diff --git a/{{cookiecutter.repostory_name}}/setup-prod.sh b/{{cookiecutter.repostory_name}}/setup-prod.sh
index c1461d6..9f5f8b1 100755
--- a/{{cookiecutter.repostory_name}}/setup-prod.sh
+++ b/{{cookiecutter.repostory_name}}/setup-prod.sh
@@ -12,6 +12,14 @@ cd "${PROJECT_DIR}"
 if [[ ! -f "${ENV_DIR}/.env" ]]; then
     cp "${ENV_DIR}/.env.template" "${ENV_DIR}/.env"
 fi
+   
+{% if cookiecutter.vulnerabilities_scanning == 'y' %} 
+# Create .vuln.env from the template if doesn't exist
+if [[ ! -f "${ENV_DIR}/.vuln.env" ]]; then
+    cp "${ENV_DIR}/.vuln.env.template" "${ENV_DIR}/.vuln.env"
+fi
+ln -sf "${ENV_DIR}/.vuln.env" .vuln.env
+{% endif %}
 
 # Set symlinks
 ln -sf "${ENV_DIR}/.env" .env