diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 68253cd..791cae4 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -75,6 +75,21 @@ jobs:
           load: true
           tags: drone-ssh:scan
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-ssh:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-docker-image"
+
       - name: Build and push
         if: success()
         uses: docker/build-push-action@v7