diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 66024a3..28b0cb4 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -47,6 +47,30 @@ jobs:
       - name: Build image
         run: |
           docker build -t ${{ github.event.repository.name }} .
+      - name: Trivy - List all vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ github.event.repository.name }}'
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+      - name: Trivy - Stop on Severe Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        if: github.event_name == 'pull_request'
+        with:
+          image-ref: '${{ github.event.repository.name }}'
+          format: 'table'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          exit-code: '1'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v4
diff --git a/pom.xml b/pom.xml
index 6ec0e97..ad733bc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.3.4</version>
+    <version>3.3.5</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
   <groupId>eu.dissco.core</groupId>