diff --git a/.gitea/workflows/trivy_scan_image.yml b/.gitea/workflows/trivy_scan_image.yml
new file mode 100644
index 0000000..1114b3d
--- /dev/null
+++ b/.gitea/workflows/trivy_scan_image.yml
@@ -0,0 +1,32 @@
+name: release-tag
+
+on:
+  workflow_dispatch: # Manuelles Auslösen des Workflows
+    inputs:
+      image_tag:
+        description: 'Tag für das zu scannende Docker-Image z.B. latest'
+        required: true
+        default: 'latest'
+
+env:
+  image_name: 404_games
+  registry: gitea.tebarius.duckdns.org
+  user: tebarius
+
+jobs:
+  release-image:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Scan image with trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:${{ github.event.inputs.image_tag }}"
+          scan-type: image
+          hide-progress: true
+          ignore-unfixed: true
+          severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+          scanners: "vuln,misconfig,secrets"
+        env:
+          TRIVY_USERNAME: "${{ env.user }}"
+          TRIVY_PASSWORD: "${{ secrets.DOCKER_PULL_TOKEN }}"