diff --git a/.github/workflows/pr-checker.yml b/.github/workflows/pr-checker.yml
index f0cea063d..91e81dc16 100644
--- a/.github/workflows/pr-checker.yml
+++ b/.github/workflows/pr-checker.yml
@@ -56,8 +56,6 @@ jobs:
           format: 'table'
           severity: 'CRITICAL,HIGH'
           vuln-type: 'os,library'
-          #[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134
-          skip-files: '/usr/sbin/telegraf,/opt/telegraf'
           exit-code: '1'
           timeout: '5m0s'
           ignore-unfixed: true
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..1b6a7090b
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,17 @@
+# related to telegraf
+#[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134
+CVE-2021-43816
+CVE-2022-23648
+CVE-2022-24450
+CVE-2022-26652
+CVE-2019-3826
+CVE-2022-27191
+CVE-2021-42836
+
+# ruby in /usr/lib
+CVE-2020-36327
+CVE-2021-43809
+CVE-2021-41816
+CVE-2021-41819
+CVE-2021-31799
+CVE-2021-28965
\ No newline at end of file
diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch
index e94bf71bb..38103dd65 100644
--- a/kubernetes/linux/Dockerfile.multiarch
+++ b/kubernetes/linux/Dockerfile.multiarch
@@ -39,8 +39,17 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH}
 # Do vulnerability scan in a seperate stage to avoid adding layer
 FROM base_image AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" /
+COPY .trivyignore .trivyignore
+RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" /
+RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib
+RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1
 
 # Revert to base layer before vulnscan
 FROM base_image AS ContainerInsights
+# force the trivy stage to run
+# docker buildx (BUILDKIT) does not build stages which do not affect the final stage
+# by copying over a file we create a dependency
+# see: https://github.com/docker/build-push-action/issues/377
+COPY --from=vulnscan /usr/local/bin/trivy /usr/local/bin/trivy
+RUN rm /usr/local/bin/trivy
 CMD [ "/opt/main.sh" ]
\ No newline at end of file