diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 9a02ee6..fc237e8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -67,11 +67,28 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
       - name: Push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
+          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
+          # would cause the push to fail on the referrer PUT. The Grype scan step
+          # above is the compensating control — it fails the build on any unfixed
+          # high-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}