diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 0000000000000..044879ebfb28c
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,17 @@
+name: Trivy
+
+on:
+  push:
+    branches:
+      - master
+      - branch/*
+  pull_request:
+  merge_group:
+
+jobs:
+  trivy:
+    uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000000000..e4293c0750663
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,23 @@
+# Dockerfiles and Kubernetes YAMLs don't support inline ignores with Trivy, so
+# we have to set a global ignore for these for now.
+AVD-DS-0002
+AVD-KSV-0109
+AVD-KSV-0110
+DS001
+DS013
+DS026
+KSV001
+KSV003
+KSV009
+KSV011
+KSV012
+KSV013
+KSV014
+KSV015
+KSV016
+KSV018
+KSV020
+KSV021
+KSV030
+KSV047
+KSV106
\ No newline at end of file
diff --git a/assets/loadtest/cluster/main.tf b/assets/loadtest/cluster/main.tf
index 454b4787fcdd9..42fb8cd4d165b 100644
--- a/assets/loadtest/cluster/main.tf
+++ b/assets/loadtest/cluster/main.tf
@@ -14,6 +14,12 @@ data "google_compute_network" "default" {
 }
 
 
+#trivy:ignore:AVD-GCP-0047
+#trivy:ignore:AVD-GCP-0049
+#trivy:ignore:AVD-GCP-0051
+#trivy:ignore:AVD-GCP-0056
+#trivy:ignore:AVD-GCP-0059
+#trivy:ignore:AVD-GCP-0061
 resource "google_container_cluster" "loadtest" {
   name     = var.cluster_name
   location = var.region
@@ -25,6 +31,13 @@ resource "google_container_cluster" "loadtest" {
   initial_node_count       = 1
 }
 
+#trivy:ignore:AVD-GCP-0048
+#trivy:ignore:AVD-GCP-0049
+#trivy:ignore:AVD-GCP-0050
+#trivy:ignore:AVD-GCP-0054
+#trivy:ignore:AVD-GCP-0057
+#trivy:ignore:AVD-GCP-0058
+#trivy:ignore:AVD-GCP-0063
 resource "google_container_node_pool" "loadtest" {
   name     = var.cluster_name
   cluster  = google_container_cluster.loadtest.name