diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
new file mode 100644
index 0000000..843f197
--- /dev/null
+++ b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,7 @@
+general:
+  bestPracticeViolations:
+    # We violate this rule because we add kubectl from a remote location
+    # Instead of building it from source/copying it.
+    # Until we change our practices (e.g. have Dockerfile build kubectl
+    # in a multi-staged manner), we should skip this check
+    - CIS-DI-0009
diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml
new file mode 100644
index 0000000..b5bb93b
--- /dev/null
+++ b/.github/workflows/vulnerability-scan.yaml
@@ -0,0 +1,14 @@
+# This should not be made a mandatory test
+# It is only used to make us aware of any potential security failure, that
+# should trigger a bump of the image in build/.
+name: "Image vulnerability scan"
+on: [push, pull_request]
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
+      - uses: Azure/container-scan@v0
+        with:
+          image-name: docker.io/${{ github.repository_owner }}/kured:${{ github.sha }}