diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 680f516c..f0f95075 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -74,7 +74,7 @@ jobs:
           cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }}
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cc9a2889..4d79ae06 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,6 +33,16 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
         with:
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index ecf7b1b6..6f0c7b52 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -32,7 +32,8 @@ jobs:
           format: 'spdx-json'
           output: "defguard-gateway-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
@@ -41,7 +42,7 @@ jobs:
           scan-type: 'image'
           format: 'spdx-json'
           output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Upload SBOM