diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f65850b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+trivy-report.html
+image.tar
diff --git a/Dockerfile b/Dockerfile
index a46ea40..e7b4fd0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,7 +23,7 @@ RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
           /var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock
 
 # Trivy html template
-ADD --chown=jenkins:jenkins html.tpl /home/jenkins/
+ADD --chown=jenkins:jenkins html.tpl /home/jenkins/agent
 
 # Make docker in Jenkinsfiles work
 RUN ln -s /usr/bin/podman /usr/bin/docker
diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 0000000..cb03ab2
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,39 @@
+pipeline {
+  agent { node { label 'podman && trivy && aws' } }
+  stages {
+    stage('Build'){
+        steps {
+            sh 'make build'
+        }
+    }
+    stage('Scan'){
+        environment { 
+            TRIVY_TEMPLATE = "@${env.WORKSPACE}/html.tpl"
+	    TRIVY_FORMAT = "template"
+	    TRIVY_OUTPUT = "reports/trivy.html"
+        }
+        steps {
+            // Scan via trivy
+            sh 'mkdir -p reports'
+            sh 'make scan'
+            publishHTML target : [
+                allowMissing: true,
+                alwaysLinkToLastBuild: true,
+                keepAll: true,
+                reportDir: 'reports',
+                reportFiles: 'trivy.html',
+                reportName: 'Trivy Scan',
+                reportTitles: 'Trivy Scan'
+            ]
+
+            // Scan again and fail on CRITICAL vulns
+            sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
+        }
+    }
+    stage('Push'){
+        steps {
+            sh 'make push'
+        }
+    }
+  }
+}
diff --git a/Makefile b/Makefile
index 92a547d..2098361 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ REGISTRY := public.ecr.aws/zero-downtime
 REPOSITORY := jenkins-podman
 TAG := $(REPOSITORY):v$(VERSION)
 
-.PHONY: build push clean
+.PHONY: build push clean scan
 
 all: build
 
@@ -17,9 +17,8 @@ push:
 	podman push $(REGISTRY)/$(TAG)
 
 clean:
-	podman rmi -f $(TAG)
+	rm -f image.tar trivy-report.html
 
 scan:
-	podman save $(TAG) -o image.tar
-	trivy image --input image.tar --format template --template @./html.tpl -o report.html
-	rm -f image.tar
+	[ -f image.tar ] || podman save $(TAG) -o image.tar
+	trivy image --input image.tar