diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index a048ba4..e34109c 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -113,3 +113,43 @@ jobs:
         run: |
           docker stop saltstack_master registry
           docker image rm ${IMAGE_NAME}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download Docker registry data from build job
+        uses: actions/download-artifact@v2
+        with:
+          name: docker-registry-data
+          path: ${{ env.REGISTRY_PATH }}
+
+      - name: Enable Docker experimental
+        run: |
+          # Enable docker daemon experimental support.
+          echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          # Install QEMU multi-architecture support for docker buildx.
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+
+      - name: Start Docker registry
+        run: |
+          docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
+
+      - name: Import Docker images
+        run: docker pull --platform linux/amd64 ${IMAGE_NAME}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index aa0d3a6..183951c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -88,3 +88,32 @@ jobs:
           cache-to: type=local,dest=${{ env.CACHE_PATH }}
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: publish
+    if: github.event_name == 'release'
+    steps:
+      - name: Prepare metadata
+        id: metadata
+        run: |
+          IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
+          echo ::set-output name=image_ref::${IMAGE_REF}
+
+      - name: Import Docker images
+        run: docker pull ${{ steps.metadata.outputs.image_ref }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.metadata.outputs.image_ref }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'