diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index b7fdc83..d54682c 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -6,7 +6,7 @@ on:
     paths:
       - pyproject.toml
       - Dockerfile
-      - '*.py'
+      - "*.py"
       - tests/**
       - tools/**
       - utils/**
@@ -14,7 +14,7 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: 'tests-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  group: "tests-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
   cancel-in-progress: true
 
 jobs:
diff --git a/.github/workflows/test_image.yaml b/.github/workflows/test_image.yaml
new file mode 100644
index 0000000..66a669c
--- /dev/null
+++ b/.github/workflows/test_image.yaml
@@ -0,0 +1,58 @@
+---
+name: Test Image Build
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+      - Dockerfile
+      - "*.py"
+      - tests/**
+      - tools/**
+      - utils/**
+      - .github/workflows/**
+  workflow_call:
+  workflow_dispatch:
+
+concurrency:
+  group: "test-image-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  test_build:
+    name: Test Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # required for actions/checkout
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: "0" # Required due to the way Git works, without it this action won't be able to find any or the correct tags
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build Docker image
+        id: build-to-test
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true
+          push: false
+          tags: |
+            ghcr.io/sysdiglabs/sysdig-mcp-server:test
+
+      - name: Scan Docker image
+        uses: sysdiglabs/scan-action@v6
+        with:
+          image-tag: ghcr.io/sysdiglabs/sysdig-mcp-server:test
+          sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
+          sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true