diff --git a/.ci/run-safety.sh b/.ci/run-safety.sh
index 705fcdbd4..7d2607883 100755
--- a/.ci/run-safety.sh
+++ b/.ci/run-safety.sh
@@ -16,19 +16,23 @@
 # 67599: pip issue, utter nonsense
 # 70612: Jinja2 SSTI, as of https://github.com/inducer/relate/pull/1053
 #   there is no longer a direct Jinja dependency, and no known path to SSTI.
-safety check \
-        -i 38678 \
-        -i 39253 \
-        -i 39535 \
-        -i 40291 \
-        -i 44715 \
-        -i 44716 \
-        -i 44717 \
-        -i 51159 \
-        -i 51549 \
-        -i 51499 \
-        -i 51457 \
-        -i 65213 \
-        -i 67599 \
-        -i 70612 \
-        --full-report
+if test "$SAFETY_API_KEY" != ""; then
+        safety --stage cicd --key "$SAFETY_API_KEY" scan \
+                -i 38678 \
+                -i 39253 \
+                -i 39535 \
+                -i 40291 \
+                -i 44715 \
+                -i 44716 \
+                -i 44717 \
+                -i 51159 \
+                -i 51549 \
+                -i 51499 \
+                -i 51457 \
+                -i 65213 \
+                -i 67599 \
+                -i 70612 \
+                --full-report
+else
+        echo ":warning::Skipped running safety, no API key."
+fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e55e64009..20c9919fa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,6 +52,8 @@ jobs:
         run: poetry run ./.ci/run-mypy.sh
       - name: "Safety"
         run: poetry run ./.ci/run-safety.sh
+        env:
+          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}
       - name: "Sphinx"
         run: |
             (cd doc; poetry run make html SPHINXOPTS="-W --keep-going -n")