diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fc2f061bd81454e866b1c088b675b4c6ef2fb901..57c6d7edc56df2150c63bb88f999ed7f224d5a13 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,12 @@ default:
   CREATE_RAILS_TEST_FAILURE_ISSUES: "true"
   CREATE_RAILS_SLOW_TEST_ISSUES: "true"
 
+.if-merge-request-security-canonical-sync: &if-merge-request-security-canonical-sync
+  if: '$CI_MERGE_REQUEST_SOURCE_PROJECT_PATH == "gitlab-org/security/gitlab" && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
+
+.if-not-security-canonical-sync: &if-not-security-canonical-sync
+  if: '$CI_MERGE_REQUEST_SOURCE_PROJECT_PATH != "gitlab-org/security/gitlab" || $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != $CI_DEFAULT_BRANCH'
+
 workflow:
   name: '$PIPELINE_NAME'
   rules:
@@ -67,6 +73,10 @@ workflow:
         GITLAB_DEPENDENCY_PROXY_ADDRESS: ""
         PIPELINE_NAME: 'Ruby $RUBY_VERSION $CI_MERGE_REQUEST_EVENT_TYPE MR pipeline (community contribution)'
         NO_SOURCEMAPS: 'true'
+    - <<: *if-merge-request-security-canonical-sync
+      variables:
+        PIPELINE_NAME: '$CI_DEFAULT_BRANCH security->canonical sync'
+        SKIP_MESSAGE: 'MR only contains changes from the security mirror, which have already been reviewed, tested and deployed.'
     # For (detached) merge request pipelines.
     - if: '$CI_MERGE_REQUEST_IID'
       variables:
@@ -205,5 +215,12 @@ variables:
   NOKOGIRI_LIBXML_MEMORY_MANAGEMENT: default
 
 include:
+  - local: .gitlab/ci/_skip.yml
+    rules:
+      - <<: *if-merge-request-security-canonical-sync
   - local: .gitlab/ci/*.gitlab-ci.yml
+    rules:
+      - <<: *if-not-security-canonical-sync
   - remote: 'https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/-/raw/main/templates/merge_request_pipelines.yml'
+    rules:
+      - <<: *if-not-security-canonical-sync