diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
new file mode 100644
index 0000000000..e46f53f4d9
--- /dev/null
+++ b/.github/workflows/cve-scan.yaml
@@ -0,0 +1,37 @@
+name: Docker Image Scan
+on:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Build images
+        shell: bash
+        run: |
+          make docker
+      - name: Scan image Dev
+        uses: anchore/scan-action@v3
+        with:
+          image: oryd/oathkeeper:dev
+          fail-build: true
+          severity-cutoff: high
+      - name: Scan image Alpine
+        uses: anchore/scan-action@v3
+        with:
+          image: oryd/oathkeeper:dev-alpine
+          fail-build: true
+          severity-cutoff: high