diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 048b5e0..408b23d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -108,3 +108,36 @@ jobs:
           name: docker-image
           path: image.tar
           retention-days: 1
+
+  image_scan:
+    runs-on: ubuntu-latest
+    name: Scan docker image
+    needs:
+      - docker-build
+
+    steps:
+      # So the scanner gets commit meta-information
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download built image
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image-all-extensions-${{ needs.docker_build_setup.outputs.version }}
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: ${{ github.workspace }}/image.tar  # from download-artifact
+          format: 'sarif'
+          output: 'trivy-results-docker.sarif'
+          ignore-unfixed: true
+        env:
+          # Uses the cache from trivy.yml workflow
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Upload results to GH Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-docker.sarif'