diff --git a/.editorconfig b/.editorconfig
index 998c28f6c..e7803aadb 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -22,3 +22,6 @@ indent_size = 2
 
 [.gitmodules]
 indent_style = tab
+
+[Makefile]
+indent_style = tab
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 237b6be5d..0d90ef9cd 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -52,10 +52,8 @@ jobs:
           distribution: 'temurin'
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
-      - name: Create Gradle lockfile
-        run: ./gradlew :${{ matrix.project }}:dependencies --write-locks
       - name: Scan
-        run: docker run --rm -v "${PWD}/${{ matrix.project }}/gradle.lockfile:/gradle.lockfile" ghcr.io/google/osv-scanner:v2.0.0 scan --lockfile /gradle.lockfile
+        run: make component=${{ matrix.project }} scan
   java:
     name: Build and Test Java
     runs-on: ubuntu-latest
diff --git a/Makefile b/Makefile
new file mode 100644
index 000000000..77ed55b6d
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,20 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+OSV_SCANNER_IMAGE := ghcr.io/google/osv-scanner:v2.0.2
+
+.PHONY: scan
+scan:
+ifdef component
+	./gradlew --quiet ':$(component):dependencies' --write-locks --configuration runtimeClasspath
+	docker run --rm --volume './$(component)/gradle.lockfile:/gradle.lockfile' $(OSV_SCANNER_IMAGE) scan --lockfile /gradle.lockfile
+else
+	$(MAKE) component=core scan
+	$(MAKE) component=isthmus scan
+	$(MAKE) component=isthmus-cli scan
+endif
+
+.PHONY: clean
+clean:
+	find . -depth 2 -type f -name gradle.lockfile -delete -print