diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index 5169319..7d18631 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -17,10 +17,19 @@ jobs:
       rockcraft-revisions: '{"amd64": "1783", "arm64": "1784"}'
       arch-skipping-maximize-build-space: '["arm64"]'
       platform-labels: '{"arm64": ["Ubuntu_ARM64_4C_16G_01"]}'
+  scan-images:
+    uses: canonical/k8s-workflows/.github/workflows/scan_images.yaml@main
+    needs: [build-and-push-arch-specifics]
+    secrets: inherit
+    with:
+      upload-result: ${{ github.event_name == 'push' }}
+      images: ${{ needs.build-and-push-arch-specifics.outputs.images }}
+      trivy-image-config: ./trivy.yaml
   build-and-push-multiarch-manifest:
     name: Combine Rocks and Push Multiarch Manifest
     uses: canonical/k8s-workflows/.github/workflows/assemble_multiarch_image.yaml@main
     needs: [build-and-push-arch-specifics]
+    if: ${{ needs.build-and-push-arch-specifics.outputs.changed-rock-metas != '[]' }}
     with:
-      rock-metas: ${{ needs.build-and-push-arch-specifics.outputs.rock-metas }}
+      rock-metas: ${{ needs.build-and-push-arch-specifics.outputs.changed-rock-metas }}
       dry-run: ${{ github.event_name != 'push' }}