diff --git a/script/release-workflow/run.sh b/script/release-workflow/run.sh
index e0f56e1..72dd14c 100755
--- a/script/release-workflow/run.sh
+++ b/script/release-workflow/run.sh
@@ -13,6 +13,7 @@ fi
 
 ${script_dir}/validate.sh
 ${script_dir}/docker-build.sh
+${script_dir}/../scan.sh ${DOCKER_IMAGE_ORG_AND_NAME}:latest
 
 if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
   bundle install
diff --git a/script/scan-inside-docker-container.sh b/script/scan-inside-docker-container.sh
new file mode 100755
index 0000000..257d2ac
--- /dev/null
+++ b/script/scan-inside-docker-container.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+set -eu
+
+apt-get update -y && apt-get install -y wget
+wget -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin
+trivy filesystem --exit-code 1 --quiet /
\ No newline at end of file
diff --git a/script/scan.sh b/script/scan.sh
new file mode 100755
index 0000000..a84db47
--- /dev/null
+++ b/script/scan.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eu
+
+: "${1?Please provide the image to scan}"
+
+SCRIPT_DIR=$(cd "$(dirname $0)"/.. && pwd)
+
+docker run --rm \
+  -v ${PWD}/script/scan-inside-docker-container.sh:/pact_broker/scan-inside-docker-container.sh \
+  -u root \
+  --entrypoint /bin/sh \
+  "$1" \
+  /pact_broker/scan-inside-docker-container.sh
\ No newline at end of file