diff --git a/.drone.yml b/.drone.yml
index ac219ce..7f73f87 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -22,10 +22,22 @@ steps:
 
 - name: trivy-scan
   image: scm.project42.io/elia/trivy:production
-  privileged: true
   commands:
-    - /usr/local/bin/trivy image --image-src remote scm.project42.io/elia/trivy:pre-scan
-  failure: ignore
+    - /usr/local/bin/trivy image --image-src remote scm.project42.io/elia/trivy:"${DRONE_COMMIT_SHA:0:8}"
+  depends_on:
+    - test-build-container
+
+- name: retag-container
+  image: ghcr.io/oras-project/oras:v1.0.0
+  environment:
+    REGISTRY_USERNAME:
+      from_secret: registry_username
+    REGISTRY_PASSWORD:
+      from_secret: registry_password
+  commands:
+    - oras cp --from-username "$REGISTRY_USERNAME" --from-password "$REGISTRY_PASSWORD" --to-username "$REGISTRY_USERNAME" --to-password "$REGISTRY_PASSWORD" "scm.project42.io/elia/trivy:${DRONE_COMMIT_SHA:0:8}"  scm.project42.io/elia/trivy:post-scan
+  depends_on:
+    - trivy-scan
 
 trigger:
   exclude: