diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index cbf48301..dc9e72d1 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -10,12 +10,20 @@ trigger:
 
 variables:
   NugetSecurityAnalysisWarningLevel: none # nuget.config requires signed packages by trusted owners
+  Codeql.Enabled: true
 
 queue:
   name: VSEngSS-MicroBuild2019-1ES
   timeoutInMinutes: 60
 
 steps:
+
+- task: ComponentGovernanceComponentDetection@0
+  inputs:
+    scanType: 'Register'
+    verbosity: 'Verbose'
+    alertWarningLevel: 'High'
+
 - task: PowerShell@2
   displayName: Set VSTS variables
   inputs:
@@ -56,6 +64,14 @@ steps:
   displayName: Install MicroBuild Signing plugin
   condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
 
+- task: AntiMalware@4
+  displayName: 'Run MpCmdRun.exe'
+  inputs:
+    InputType: Basic
+    ScanType: CustomScan
+    FileDirPath: '$(Build.StagingDirectory)'
+    DisableRemediation: false
+
 - task: VSBuild@1
   inputs:
     vsVersion: 15.0
@@ -98,6 +114,12 @@ steps:
   displayName: MicroBuild Cleanup
   condition: succeededOrFailed()
 
+- task: PoliCheck@2
+  displayName: 'Run PoliCheck'
+  inputs:
+    targetType: F
+  condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
+
 - task: ManifestGeneratorTask@0
   inputs:
     BuildDropPath: $(Build.ArtifactStagingDirectory)/build_logs
@@ -119,6 +141,14 @@ steps:
   displayName: 'Publish Artifact: build logs'
   condition: succeededOrFailed()
 
+- task: PublishSecurityAnalysisLogs@3
+  displayName: 'Publish Guardian Artifacts'
+  inputs:
+    ArtifactName: CodeAnalysisLogs
+    ArtifactType: Container
+    PublishProcessedResults: false
+    AllTools: true
+
 ## Following steps are skipped in PR builds
 
 - task: CopyFiles@1