diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
index 0406afcd3..23231a6ee 100644
--- a/.github/workflows/scan-vulns.yaml
+++ b/.github/workflows/scan-vulns.yaml
@@ -28,3 +28,52 @@ jobs:
           go-version: "1.23"
           check-latest: true
       - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2
+
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.57.0"
+
+      - name: Download trivy db
+        run: |
+          trivy image \
+            --download-db-only \
+            --db-repository=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db,docker.io/aquasec/trivy-db
+
+      - name: Run trivy on git repository
+        run: |
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
+
+      - name: Build docker images
+        run: |
+          make docker-build
+        env:
+          REGISTRY: e2e
+          IMAGE_VERSION: test
+          ALL_LINUX_ARCH: amd64 # build amd64 only to speed up PR gate
+          OUTPUT_TYPE: type=docker
+
+      - name: Run trivy on images
+        run: |
+          exit_code=0
+          for img in "e2e/proxy:test" "e2e/proxy-init:test" "e2e/webhook:test"; do
+              trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL --ignore-unfixed --pkg-types="os,library" "${img}" || exit_code=1
+          done
+          exit $exit_code
diff --git a/.pipelines/nightly.yaml b/.pipelines/nightly.yaml
index f1720e130..79728824e 100644
--- a/.pipelines/nightly.yaml
+++ b/.pipelines/nightly.yaml
@@ -13,12 +13,6 @@ schedules:
 pool: staging-pool-amd64-mariner-2
 
 jobs:
-  - job: scan_images
-    timeoutInMinutes: 30
-    workspace:
-      clean: all
-    steps:
-      - template: templates/scan-images.yaml
   - job: verify_deployment_yaml
     timeoutInMinutes: 30
     workspace:
@@ -62,7 +56,6 @@ jobs:
   - job:
     timeoutInMinutes: 60
     dependsOn:
-      - scan_images
       - verify_deployment_yaml
     workspace:
       clean: all
@@ -97,7 +90,6 @@ jobs:
   - template: templates/upgrade.yaml
     parameters:
       dependsOn:
-        - scan_images
         - verify_deployment_yaml
       matrix:
         upgrade_aks_windows:
@@ -112,7 +104,6 @@ jobs:
       - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img
     timeoutInMinutes: 60
     dependsOn:
-      - scan_images
       - verify_deployment_yaml
     workspace:
       clean: all
diff --git a/.pipelines/pr.yaml b/.pipelines/pr.yaml
index 58e589cea..83878a1e2 100644
--- a/.pipelines/pr.yaml
+++ b/.pipelines/pr.yaml
@@ -18,12 +18,6 @@ pr:
 pool: staging-pool-amd64-mariner-2
 
 jobs:
-  - job: scan_images
-    timeoutInMinutes: 30
-    workspace:
-      clean: all
-    steps:
-      - template: templates/scan-images.yaml
   - job: lint
     timeoutInMinutes: 30
     workspace:
@@ -65,7 +59,6 @@ jobs:
     timeoutInMinutes: 60
     dependsOn:
     - lint
-    - scan_images
     - shellcheck
     workspace:
       clean: all
@@ -112,7 +105,6 @@ jobs:
       - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img
     dependsOn:
     - lint
-    - scan_images
     - shellcheck
     workspace:
       clean: all
diff --git a/.pipelines/templates/scan-images.yaml b/.pipelines/templates/scan-images.yaml
deleted file mode 100644
index 5e60d40fc..000000000
--- a/.pipelines/templates/scan-images.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-steps:
-  - script: make docker-build
-    displayName: make docker-build
-    env:
-      REGISTRY: e2e
-      IMAGE_VERSION: test
-      ALL_LINUX_ARCH: amd64 # build amd64 only to speed up PR gate
-      OUTPUT_TYPE: type=docker
-  - script: |
-      wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION:-0.24.4}/trivy_${TRIVY_VERSION:-0.24.4}_Linux-64bit.tar.gz
-      tar zxvf trivy_${TRIVY_VERSION:-0.24.4}_Linux-64bit.tar.gz
-      # show all vulnerabilities in the logs
-      ./trivy image --reset
-      for IMAGE_NAME in "proxy" "proxy-init" "webhook"; do
-        ./trivy image "${REGISTRY}/${IMAGE_NAME}:${IMAGE_VERSION}-linux-amd64"
-        ./trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL "${REGISTRY}/${IMAGE_NAME}:${IMAGE_VERSION}-linux-amd64" || exit 1
-      done
-    displayName: Scan images
-    env:
-      REGISTRY: e2e
-      IMAGE_VERSION: test
-      TRIVY_VERSION: $(TRIVY_VERSION)