diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml
new file mode 100644
index 0000000..a58c350
--- /dev/null
+++ b/.github/workflows/blackduck.yml
@@ -0,0 +1,45 @@
+name: blackduck
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  issues: write
+  checks: write
+  pull-requests: write
+
+jobs:
+  build:
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v3
+      - name: Black Duck Full Scan
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: synopsys-sig/synopsys-action@v1.6.0
+        env:
+          DETECT_PROJECT_NAME: "MED_ca-injector"
+        with:
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_token: ${{ secrets.BLACKDUCK_TOKEN }}
+          blackduck_scan_full: true
+          blackduck_scan_failure_severities: "BLOCKER,CRITICAL"
+          blackduck_fixpr_enabled: true
+          blackduck_fixpr_maxCount: 5
+          blackduck_fixpr_filter_severities: "CRITICAL,HIGH"
+          blackduck_fixpr_useUpgradeGuidance: "SHORT_TERM,LONG_TERM"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Black Duck PR Scan
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: synopsys-sig/synopsys-action@v1.6.0
+        env:
+          DETECT_PROJECT_NAME: "MED_ca-injector"
+        with:
+          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
+          blackduck_token: ${{ secrets.BLACKDUCK_TOKEN }}
+          blackduck_scan_full: false
+          blackduck_prComment_enabled: true
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 22d5466..2caeef5 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,12 +2,12 @@ name: release
 
 on:
   schedule:
-    - cron: '0 22 * * 0' # every sunday at 10pm
+    - cron: "0 22 * * 0" # every sunday at 10pm
   push:
     branches:
-      - 'main'
+      - "main"
     tags:
-      - 'v?[0-9]+.[0-9]+.[0-9]+*'
+      - "v?[0-9]+.[0-9]+.[0-9]+*"
   pull_request:
 
 jobs:
@@ -51,7 +51,7 @@ jobs:
       - name: Set up GO
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: "1.21"
       - name: Build GO app
         run: |
           GOOS=linux CGO_ENABLED=0 go build -o app
@@ -95,3 +95,13 @@ jobs:
             org.opencontainers.image.version=${{ steps.env.outputs.version }}
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.licenses=${{ github.event.repository.license.name }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: ${{ steps.env.outputs.tags }}
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"