diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
new file mode 100644
index 00000000..f34d7367
--- /dev/null
+++ b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,2 @@
+general:
+  vulnerabilities: [] # List of excluded CVEs (e.g: CVE-2021-3711)
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
new file mode 100644
index 00000000..29899ebc
--- /dev/null
+++ b/.github/workflows/cve-scan.yml
@@ -0,0 +1,22 @@
+name: "CVE Scan"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: { }
+jobs:
+  scan-images:
+    name: Scan latest public image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [ docker-asciidoctor ]
+        tag: [ latest ]
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/asciidoctor/${{ matrix.image }}:${{ matrix.tag }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'table'
+          # we can set to 0 to avoid breaking the pipeline
+          exit-code: '1'