diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index facce01..eae7678 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -33,13 +33,82 @@ jobs:
       - name: Build rock
         run: |
           rockcraft pack --verbose
-
       - name: Upload built rock job artifact
         uses: actions/upload-artifact@v3
         with:
           name: charmed_opensearch_rock_amd64
           path: "charmed-opensearch_*.rock"
 
+  scan:
+    name: Trivy scan and sbom generation
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs:
+      - build
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Download rock file
+        uses: actions/download-artifact@v3
+        with:
+          name: charmed_opensearch_rock_amd64
+          path: .
+
+      - name: Install required dependencies
+        run: |
+          # docker
+          # FIXME: v27.2.0 reports "...client version 1.22 is too old..." when trying to copy the
+          # rock to the local repository --revision=2932
+          sudo snap install docker --channel=latest/stable --revision=2932
+          sudo addgroup --system docker; sudo adduser $USER docker
+          newgrp docker
+          sudo snap disable docker; sudo snap enable docker
+          # skopeo
+          sudo snap install --devmode --channel edge skopeo
+          sudo snap install yq
+          
+      - name: Create local image
+        run: |
+          version="$(cat rockcraft.yaml | yq .version)"
+          
+          sudo skopeo \
+              --insecure-policy \
+              copy \
+              oci-archive:charmed-opensearch_${version}_amd64.rock \
+              docker-daemon:trivy/charmed_opensearch_rock_amd64:test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'trivy/charmed_opensearch_rock_amd64:test'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'image'
+          format: 'spdx-json'
+          output: 'dependency-results.sbom.json'
+          image-ref: 'trivy/charmed_opensearch_rock_amd64:test'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+          severity: "MEDIUM,HIGH,CRITICAL"
+          scanners: "vuln"
+      
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report
+          path: '${{ github.workspace }}/dependency-results.sbom.json'
+          retention-days: 90
+
   test:
     name: Test Rock
     runs-on: ubuntu-latest