diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
index ed04162..db419c0 100644
--- a/.github/workflows/cve-scan.yaml
+++ b/.github/workflows/cve-scan.yaml
@@ -36,13 +36,23 @@ jobs:
         shell: bash
         run: |
           make docker-build-notest
-      - name: Anchore Scan
+      - name: Anchore Scanner
         uses: anchore/scan-action@v3
+        id: grype-scan
         with:
           image: controller:latest
           fail-build: true
-      - name: Trivy Scan
+          severity-cutoff: high
+          debug: false
+          acs-report-enable: true
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
+        if: ${{ always() }}
         with:
           image-ref: controller:latest
           format: "table"
@@ -50,3 +60,10 @@ jobs:
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+      - name: Dockle Linter
+        uses: erzz/dockle-action@v1.3.1
+        if: ${{ always() }}
+        with:
+          image: controller:latest
+          exit-code: 42
+          failure-threshold: fatal