diff --git a/.github/workflows/scan-docker-images.yml b/.github/workflows/scan-docker-images.yml
new file mode 100644
index 0000000..d454080
--- /dev/null
+++ b/.github/workflows/scan-docker-images.yml
@@ -0,0 +1,48 @@
+name: Scan Docker Images
+
+env:
+  REGISTRY: ghcr.io
+on:
+  pull_request:
+jobs:
+  scan_docker_images:
+    name: Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+      actions: read
+    strategy:
+      matrix:
+        IMAGE:
+          - 'openhands/runtime-api:sha-4eedee2'
+          - 'openhands/enterprise-server:sha-818f743'
+          - 'openhands/runtime:818f743dc7ca35ee219b95ee9878e07836aa831a-nikolaik'
+    steps:
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        # This only reports, does not fail the build on CVE.
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ matrix.IMAGE }}
+          # trixie: sha-f1c75a7
+          # default: sha-07c8732
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          timeout: '10m'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets/config
+      # - name: Customize SARIF with image flavor
+      #   shell: bash
+      #   run: |
+      #     IMAGE_WITH_TAG="all-hands-ai/enterprise-server:pr-11114"
+      #     IMAGE_WITHOUT_TAG="${IMAGE_WITH_TAG%%:*}"
+      #     # Modify the tool name to include the image flavor
+      #     jq --arg flavor "${{ env.IMAGE_WITHOUT_TAG }}" \
+      #       '.runs[0].tool.driver.name = "Trivy (" + $flavor + ")"' \
+      #       trivy-results-raw.sarif > trivy-results.sarif
+      #     echo "Modified tool name to: $(jq -r '.runs[0].tool.driver.name' trivy-results.sarif)"
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'