diff --git a/.github/workflows/execution-plan-main.yml b/.github/workflows/execution-plan-main.yml
index 481897de6..31061254c 100644
--- a/.github/workflows/execution-plan-main.yml
+++ b/.github/workflows/execution-plan-main.yml
@@ -19,3 +19,10 @@ jobs:
     with:
       trigger: main
     secrets: inherit
+  
+  trivy-scan:
+    needs: [execution-plan]
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      trigger: main
+    secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
index 7ab8e32c2..2dfcedc2e 100644
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -49,7 +49,7 @@ jobs:
     - name: Run trivy scan
       run: |
         cd trivy
-        earthly +scan-all --kuberpult_version="$IMAGE_TAG_KUBERPULT"
+        earthly +scan-all --kuberpult_version="$IMAGE_TAG_KUBERPULT" --trigger=${{ inputs.trigger }}
     - name: Archive reports
       uses: actions/upload-artifact@v4
       with:
diff --git a/trivy/Earthfile b/trivy/Earthfile
index 9c9e3a7fb..55b5f297b 100644
--- a/trivy/Earthfile
+++ b/trivy/Earthfile
@@ -18,18 +18,31 @@ deps:
 scan-all:
     FROM +deps
     ARG --required kuberpult_version
-
+    ARG trigger=""
     ARG VERSION_REPORT_NAME="kuberpult-${kuberpult_version}-reports"
     ARG REPORT_TAR_NAME="${VERSION_REPORT_NAME}.tar.gz"
     RUN mkdir $VERSION_REPORT_NAME
 
-    FOR service IN $SERVICES
-        BUILD +scan-service --service=$service --version=$kuberpult_version
-        COPY (+scan-service/* --service=$service --version=$kuberpult_version) $VERSION_REPORT_NAME/
+    IF [ "$trigger" == "pull-request" ]
+        FOR service IN $SERVICES
+            BUILD +scan-service-pr --service=$service --version=$kuberpult_version
+        END
+    ELSE
+        FOR service IN $SERVICES
+            BUILD +scan-service --service=$service --version=$kuberpult_version
+            COPY (+scan-service/* --service=$service --version=$kuberpult_version) $VERSION_REPORT_NAME/
+        END
+        RUN tar -czf $REPORT_TAR_NAME $VERSION_REPORT_NAME/
+        SAVE ARTIFACT $REPORT_TAR_NAME AS LOCAL $REPORT_TAR_NAME
     END
 
-    RUN tar -czf $REPORT_TAR_NAME $VERSION_REPORT_NAME/
-    SAVE ARTIFACT $REPORT_TAR_NAME AS LOCAL $REPORT_TAR_NAME
+scan-service-pr:
+    FROM +deps
+    ARG --required service
+    ARG --required version
+    CACHE --sharing locked --id trivy-cache /tmp/trivy_cache
+
+    RUN trivy --cache-dir /tmp/trivy_cache --severity HIGH,CRITICAL --exit-code 1 image $IMAGE_REGISTRY/kuberpult-$service:$version
 
 scan-service:
     FROM +deps