diff --git a/.github/workflows/build-update-gitops-pr-branch.yaml b/.github/workflows/build-update-gitops-pr-branch.yaml
index 4ab0179..9d91d06 100644
--- a/.github/workflows/build-update-gitops-pr-branch.yaml
+++ b/.github/workflows/build-update-gitops-pr-branch.yaml
@@ -46,6 +46,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      security-events: write
     if: ${{ (needs.get-build-mode.outputs.SHOULD_BUILD == 'true') || (needs.get-build-mode.outputs.SHOULD_BUILD_DEPLOY == 'true') }}
     uses: ./.github/workflows/build.yaml
 
diff --git a/.github/workflows/build-update-gitops.yaml b/.github/workflows/build-update-gitops.yaml
index 07572ec..03506ac 100644
--- a/.github/workflows/build-update-gitops.yaml
+++ b/.github/workflows/build-update-gitops.yaml
@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      security-events: write
     uses: ./.github/workflows/build.yaml
 
   get-short-sha:
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 86e860d..af7d585 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -16,6 +16,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -31,6 +32,7 @@ jobs:
           tags: |
             type=sha
             type=ref,event=pr
+            type=raw,value=${{ github.ref_name }}
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -53,3 +55,18 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ env.CACHE_TAG }}
           cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ env.CACHE_TAG }},mode=max
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:${{ steps.meta.outputs.version }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      # To review results for a PR in the GitHub Security tab, filter for "pr:NUM tool:Trivy is:open"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/scheduled.yaml b/.github/workflows/scheduled.yaml
new file mode 100644
index 0000000..7711381
--- /dev/null
+++ b/.github/workflows/scheduled.yaml
@@ -0,0 +1,14 @@
+name: Scheduled trivy scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 8 * * 1'
+
+jobs:
+  call-build-workflow:
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    uses: ./.github/workflows/build.yaml