diff --git a/.github/workflows/scan-image.yml b/.github/workflows/scan-image.yml
new file mode 100644
index 00000000..6b1b4e82
--- /dev/null
+++ b/.github/workflows/scan-image.yml
@@ -0,0 +1,48 @@
+---
+name: Scan Image
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scan-image:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          push: false
+          load: true
+          tags: ingestion-notify
+
+      - name: Scan Image (Produce SARIF)
+        id: scan_image
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: ingestion-notify
+          format: sarif
+          output: trivy-results.sarif
+          trivyignores: .trivyignore.yaml
+
+      - name: Upload SARIF
+        if: always()
+        id: upload_sarif
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.2.7
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 00000000..e6446c43
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,4 @@
+# vulnerabilities:
+#   - id: CVE-2023-XXXXX
+#     statement: Bla bla bla
+#     expired_at: 2023-09-01