diff --git a/repo-cve-scan.gitlab-ci.yml b/repo-cve-scan.gitlab-ci.yml
new file mode 100644
index 0000000..2baef93
--- /dev/null
+++ b/repo-cve-scan.gitlab-ci.yml
@@ -0,0 +1,20 @@
+.repo_cve_scan:
+  image:
+    name: docker.io/aquasec/trivy:0.23.0
+    entrypoint: [ "" ]
+  stage: test
+  needs: []
+  variables:
+    EXITCODE: 1
+    TRIVY_EXTRA_ARGS: "--no-progress --ignore-unfixed --severity HIGH,CRITICAL"
+    SCAN_PATH: "."
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      junit: junit-report.xml
+  script:
+    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so artifacts: can take it from there
+    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code 0 --security-checks vuln,config --format template  --format template --template "/contrib/junit.tpl" -o junit-report.xml $SCAN_PATH
+    - trivy --cache-dir .trivycache/ fs --timeout 15m $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --security-checks vuln,config $SCAN_PATH