diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
deleted file mode 100644
index f34d7367..00000000
--- a/.github/containerscan/allowedlist.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-general:
-  vulnerabilities: [] # List of excluded CVEs (e.g: CVE-2021-3711)
diff --git a/README.adoc b/README.adoc
index f999d07d..f1cc4094 100644
--- a/README.adoc
+++ b/README.adoc
@@ -121,6 +121,7 @@ You need the following tools:
 * link:http://man7.org/linux/man-pages/man1/make.1.html[GNU make]
 * link:https://github.com/sstephenson/bats[Bats] installed and in your bash PATH
 * Docker installed and in your path
+* link:https://github.com/aquasecurity/trivy[Trivy] cli in case you want to scan images for vulnerabilities
 
 === How to build and test?
 
@@ -145,6 +146,21 @@ export DOCKER_IMAGE_NAME_TO_TEST=your-image-name
 bats tests/*.bats
 ----
 
+=== How to scan for vulnerabilities?
+
+* Trivy scans a docker image looking for software versions containing known vulnerabilities (CVEs).
+It's always a good idea to scan the image to ensure no new issues are introduced.
+
+* Run the following command to replicate the repo's `CVE Scan` pipeline on an image build locally.
+Note the pipeline runs nightly on the latest release version, so it can display issues solved in main branch.
++
+[source,bash]
+----
+trivy image --severity HIGH,CRITICAL asciidoctor:latest
+----
+
+
+
 ==== Deploy
 
 The goal for deploying is to make the Docker image available with the correct Docker tag in Docker Hub.