diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
new file mode 100644
index 0000000..d7ac147
--- /dev/null
+++ b/.github/workflows/vulnerabilities.yml
@@ -0,0 +1,49 @@
+name: Check vulnerabilities
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '!**.md'
+  release:
+    types:
+      - released
+
+jobs:
+
+  vulnerabilities:
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: .
+    steps:
+    - name: Checkout pygeometa
+      uses: actions/checkout@master
+    - name: Scan vulnerabilities with trivy
+      uses: aquasecurity/trivy-action@v0.35.0
+      with:
+        scan-type: fs
+        exit-code: 1
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH
+        scanners: vuln,misconfig,secret
+        scan-ref: .
+    - name: Build locally the image from Dockerfile
+      run: |
+        docker buildx build -t ${{ github.repository }}:${{ github.sha }} --platform linux/amd64 --no-cache -f Dockerfile .
+    - name: Scan locally built Docker image for vulnerabilities with trivy
+      uses: aquasecurity/trivy-action@v0.35.0
+      env:
+        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+      with:
+        scan-type: image
+        exit-code: 1
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH
+        vuln-type: os,library
+        image-ref: '${{ github.repository }}:${{ github.sha }}'