diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 15f79c73..13e29be6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -149,6 +149,18 @@ jobs:
       - name: Check formatting
         run: ./scripts/check-formatting.sh
 
+  security_scan:
+    name: Security scan with trivy
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Scan with trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          trivy-config: trivy.yaml
+
   build_image:
     name: Build image
     runs-on: ubuntu-24.04
diff --git a/scripts/run_trivy.sh b/scripts/run_trivy.sh
new file mode 100755
index 00000000..a4c8d526
--- /dev/null
+++ b/scripts/run_trivy.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source "$( dirname "${BASH_SOURCE[0]}" )/common-functions.sh"
+
+repo="https://github.com/Opetushallitus/koto-rekisteri"
+reportDir="temp"
+repoName="koto-rekisteri"
+trivyImage=aquasec/trivy:latest
+
+docker pull ${trivyImage}
+
+docker run --rm \
+  --volume trivy-cache:/trivy-cache \
+  --volume ${reportDir}:/reports \
+  ${trivyImage} \
+  repo ${repo} \
+  --cache-dir /trivy-cache \
+  --scanners vuln \
+  --format json \
+  --output /reports/${repoName}_trivy.json