diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 93abec22..720c59e4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,7 +66,7 @@ jobs:
   docker:
     needs: tests
 
-    name: Build (and push) Docker image
+    name: Build Docker image
     runs-on: ubuntu-latest
 
     steps:
@@ -91,12 +91,76 @@ jobs:
           RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
         run: docker build . --tag $IMAGE_NAME:$RELEASE_VERSION
 
+      - run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }}
+
+      - name: Store image artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: docker-image
+          path: image.tar
+          retention-days: 1
+
+  image_scan:
+    runs-on: ubuntu-latest
+    name: Scan docker image
+    needs:
+      - docker
+
+    steps:
+      - name: Download built image
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: /github/workspace/image.tar  # from download-artifact
+          format: 'sarif'
+          output: 'trivy-results-docker.sarif'
+          ignore-unfixed: true
+      - name: Upload results to GH Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-docker.sarif'
+
+  publish:
+    needs:
+      - tests
+      - docker
+
+    name: Push Docker image
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'  # exclude PRs
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download built image
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image
+
+      - name: Determine tag
+        id: vars
+        run: |
+          # Strip git ref prefix from version
+          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+
+          # Strip "v" prefix from tag name (if present at all)
+          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+
+          # Use Docker `latest` tag convention
+          [ "$VERSION" == "master" ] && VERSION=latest
+
+          echo ::set-output name=tag::${VERSION}
+
+      - name: Load image
+        run: |
+          docker image load -i image.tar
+
       - name: Log into registry
-        if: github.event_name == 'push'  # exclude PRs
         run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
 
       - name: Push the Docker image
-        if: github.event_name == 'push'  # exclude PRs
         env:
           RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
         run: docker push $IMAGE_NAME:$RELEASE_VERSION