diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 09e258901a0..2700fc2ae23 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -84,6 +84,18 @@ jobs:
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
 
+      # Note: vulns found in scans do not currently block CI
+      - name: 'Grype scan APKs'
+        id: grype-scan
+        if: steps.file_check.outputs.exists == 'true'
+        run: |
+          set -x
+          for line in `cat packages.log`; do
+            # convert the melange output (e.g. "x86_64|grype|grype|0.63.0-r1" ) to an actual apk path
+            apk_path=$(echo "${line}" | awk '{ split($1, pkg, "|"); printf("packages/%s/%s-%s.apk\n", pkg[1], pkg[2], pkg[4]) }')
+            ./scripts/grype-scan-apk.sh "${apk_path}"
+          done
+
       - name: Check sonames
         id: soname
         if: steps.file_check.outputs.exists == 'true'