diff --git a/.github/workflows/push-code-scan.yml b/.github/workflows/push-code-scan.yml
new file mode 100644
index 0000000..ba80aea
--- /dev/null
+++ b/.github/workflows/push-code-scan.yml
@@ -0,0 +1,39 @@
+name: Image Vulnerability Scan
+# Secrets can only viewed in "push" events. Not pull_request events.
+# That's why this step needs to be called on push, and not on pull_request (to read docker login password).
+
+on:
+  workflow_call:
+
+env:
+  REPO: ${{ github.repository }}/temp #Add /temp for temporary images
+
+jobs:
+
+  push-container-scan:
+    runs-on: ubuntu-22.04
+
+    steps:
+
+    - uses: actions/checkout@v4
+      
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 22
+        registry-url: ${{ vars.NPM_REGISTRY }}
+        token: ${{ secrets.NPM_TOKEN }}
+
+    - name: Install npm dependencies
+      run: |
+        npm install -g pnpm
+        pnpm install
+
+    - name: Scan container image for vulnerabilities with grype
+      uses: anchore/scan-action@v6
+      with:
+        path: "."
+        cache-db: true #Cache Grype DB in Github Actions
+        output-format: table
+        only-fixed: true
+        severity-cutoff: critical
+        fail-build: true