diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 3f76b5d..12af44d 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -33,7 +33,43 @@ jobs:
             fi
           done
 
+  scan:
+    needs: check-docker
+    runs-on: docker-cli
+    services:
+      docker:
+        image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+        options: --privileged
+    container:
+      image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+      - name: Build proxy image for scanning
+        run: docker build -t scan/proxy:latest ./proxy
+      - name: Scan proxy image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/proxy:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+      - name: Build claude image for scanning
+        run: docker build -t scan/claude:latest ./claude
+      - name: Scan claude image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/claude:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+
   build-and-push:
+    needs: scan
     runs-on: docker-cli
     services:
       docker: