diff --git a/.github/workflows/ghcr_push_nightly.yml b/.github/workflows/ghcr_push_nightly.yml
index a09264e8764..1a82f997e56 100644
--- a/.github/workflows/ghcr_push_nightly.yml
+++ b/.github/workflows/ghcr_push_nightly.yml
@@ -44,6 +44,19 @@ jobs:
             - name: Build images
               run: mvn -Pct package -Dct.build.tag="${IMAGE_TAG}" -Dct.build.registry="${REGISTRY}"
 
+            - name: Scan Dataverse image
+              id: scan
+              uses: anchore/scan-action@v2
+              with:
+                  image: "${{ env.REGISTRY }}/gdcc/dataverse-k8s:${{ env.IMAGE_TAG }}"
+                  # fail-build: true
+                  severity-cutoff: critical
+                  acs-report-enable: true
+            - name: upload Anchore scan SARIF report
+              uses: github/codeql-action/upload-sarif@v1
+              with:
+                  sarif_file: ${{ steps.scan.outputs.sarif }}
+
             - name: Log in to the Container registry
               uses: docker/login-action@v1
               if: ${{ github.event_name == 'push' }}