diff --git a/.gitignore b/.gitignore
index 9035ee4..f6dedc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,6 @@ configuration.yaml
 # TLS certificate/key
 *.crt
 *.key
+
+# trivy artifacts
+.trivy
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e8b5efc..4f1ff94 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -58,7 +58,7 @@ test:
 
 dockerimage:
   stage: docker
-  image: docker:latest
+  image: $DOCKER_REGISTRY/docker-make:latest
   services:
     - name: docker:dind
       alias: docker
@@ -71,9 +71,17 @@ dockerimage:
     - docker pull $DOCKER_REGISTRY/library/alpine:latest
     - docker tag $DOCKER_REGISTRY/library/alpine:latest alpine:latest
     - docker build -t $IMAGE_NAME_ENV .
+    # Run vulnerability scan before pushing the image
+    - make trivy DOCKER_TAG=$IMAGE_NAME_ENV
     - docker push $IMAGE_NAME_ENV
     - docker tag $IMAGE_NAME_ENV $IMAGE_NAME_GENERAL
     - docker push $IMAGE_NAME_GENERAL
+  cache:
+    paths:
+      - .trivy/.trivycache/
+  artifacts:
+    reports:
+      container_scanning: .trivy/gl-container-scanning-report.json
 
 nomadimage:
   stage: docker
diff --git a/Makefile b/Makefile
index e115212..75ecb92 100644
--- a/Makefile
+++ b/Makefile
@@ -93,6 +93,22 @@ e2e-docker: docker ## Run e2e tests against the Docker container
 	@timeout 30s bash -c "until curl -s -o /dev/null http://127.0.0.1:7200/; do sleep 0.1; done"
 	@make e2e-test || EXIT=$$?; docker stop $(DOCKER_E2E_CONTAINER_NAME); exit $$EXIT
 
+# See https://aquasecurity.github.io/trivy/v0.18.1/integrations/gitlab-ci/
+TRIVY_VERSION = $(shell wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+.trivy/trivy:
+	@mkdir -p .trivy
+	@wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz -O - | tar -zxvf - -C .trivy
+	@chmod +x .trivy/trivy
+
+.PHONY: trivy
+trivy: .trivy/trivy ## Run trivy vulnerability scanner
+	# Build report
+	@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress --format template --template "@.trivy/contrib/gitlab.tpl" -o .trivy/gl-container-scanning-report.json $(DOCKER_TAG)
+    # Print report
+	@.trivy/trivy --exit-code 0 --cache-dir .trivy/.trivycache/ --no-progress $(DOCKER_TAG)
+	# Fail on severe vulnerabilities
+	@.trivy/trivy --exit-code 1 --cache-dir .trivy/.trivycache/ --severity CRITICAL --no-progress $(DOCKER_TAG)
+
 .PHONY: help
 HELP_FORMAT="    \033[36m%-25s\033[0m %s\n"
 help: ## Display this help screen
diff --git a/ci/docker-make/Dockerfile b/ci/docker-make/Dockerfile
new file mode 100644
index 0000000..1a040a5
--- /dev/null
+++ b/ci/docker-make/Dockerfile
@@ -0,0 +1,3 @@
+FROM docker:latest
+
+RUN apk update && apk add make