diff --git a/Makefile b/Makefile
index 0c8f3b5..7c4032d 100644
--- a/Makefile
+++ b/Makefile
@@ -14,6 +14,10 @@ fix:  ## Fix scripts
 	@poetry run ruff format .
 	@poetry run ruff check . --fix
 
+.PHONY: hardening-check
+hardening-check:  ## Run kernel-hardening-checker
+	@poetry run ./scripts/check-hardening
+
 .PHONY: tiny-6.6
 tiny-6.6: OUT:=$(SCRIPT_OUTPUT_PREFIX)-tiny-6.6.$(SCRIPT_OUTPUT_EXT)
 tiny-6.6: ## Builds latest 6.6 kernel, unpatched
diff --git a/poetry.lock b/poetry.lock
index 89a97d5..7680fd0 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand.
 
 [[package]]
 name = "charset-normalizer"
@@ -123,6 +123,22 @@ files = [
     {file = "charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a"},
 ]
 
+[[package]]
+name = "kernel-hardening-checker"
+version = "0.6.17.1"
+description = "A tool for checking the security hardening options of the Linux kernel"
+optional = false
+python-versions = ">=3.9"
+groups = ["dev"]
+files = []
+develop = false
+
+[package.source]
+type = "git"
+url = "https://github.com/a13xp0p0v/kernel-hardening-checker.git"
+reference = "HEAD"
+resolved_reference = "0b9aebf818145f772407135b79418958c1ec5ed1"
+
 [[package]]
 name = "python-debian"
 version = "1.0.1"
@@ -193,4 +209,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11"
-content-hash = "b3c2c17637a3ad0ce5feebbaad958f80f395c44bbc51cd14a23ebad76f09e5a2"
+content-hash = "7507926eaae33538dfa1a0c0c5a39910e09f2f0ca78538438a753c243234da43"
diff --git a/pyproject.toml b/pyproject.toml
index d686192..1adc2b7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -14,6 +14,7 @@ package-mode = false
 ruff = "^0.11.8"
 zizmor = "^1.6.0"
 python-debian = "^1.0.1"
+kernel-hardening-checker = {git = "https://github.com/a13xp0p0v/kernel-hardening-checker.git"}
 
 [tool.ruff]
 line-length = 100
diff --git a/scripts/check-hardening b/scripts/check-hardening
new file mode 100755
index 0000000..4778631
--- /dev/null
+++ b/scripts/check-hardening
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Run kernel-hardening-checker (https://github.com/a13xp0p0v/kernel-hardening-checker)
+# against each of our non-tiny kernel configs. The architecture and kernel version
+# are autodetected from each config's header.
+#
+# Run via `make hardening-check` so the checker from the Poetry environment is used.
+set -e
+set -u
+set -o pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+# Our non-tiny kernel configs (tiny configs are intentionally excluded).
+configs=(
+    config-securedrop-6.6
+    config-workstation-6.6
+    config-workstation-6.18
+)
+
+for config in "${configs[@]}"; do
+    echo "=================================================================="
+    echo "Checking ${config}"
+    echo "=================================================================="
+    kernel-hardening-checker -c "${repo_root}/configs/${config}" -m show_fail
+    echo
+done