diff --git a/.github/workflows/scan-chart-images.yaml b/.github/workflows/scan-chart-images.yaml
new file mode 100644
index 000000000..75e4982c8
--- /dev/null
+++ b/.github/workflows/scan-chart-images.yaml
@@ -0,0 +1,69 @@
+---
+name: Scan Chart Images
+
+on:
+  workflow_dispatch:
+# Disabling auto-checking.
+# There are often many vulnerabilities in these images, but we don't own them.
+# It just adds to noise if this is failing all the time.
+#
+#  push:
+#    branches: ["main"]
+#    paths:
+#      - '.github/workflows/scan-chart-images.yaml'
+#      - 'charts/k8s-monitoring/docs/examples/**'
+#  pull_request:
+#    paths:
+#      - '.github/workflows/scan-chart-images.yaml'
+#      - 'charts/k8s-monitoring/docs/examples/**'
+
+jobs:
+  list-container-images:
+    name: List Container Images
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.list_images.outputs.images }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        uses: dcarbone/install-yq-action@v1.1.1
+
+      - name: List Container Images
+        id: list_images
+        working-directory: charts/k8s-monitoring
+        run: |
+          files=$(find docs/examples -name output.yaml)
+          touch images.txt
+          for file in $files; do
+            if [ "${file}" == "docs/examples/private-image-registries/output.yaml" ]; then
+              continue
+            fi
+            {
+              yq -r -o json '. | select(.kind=="DaemonSet") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Deployment") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Job") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Pod") | .spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="StatefulSet") | .spec.template.spec.containers[].image' "${file}"
+            } >> images.txt
+          done
+          echo "images=$(sort --unique < images.txt | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}"
+
+  scan-container-images:
+    name: Scan Container Images
+    needs: list-container-images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.list-container-images.outputs.images) }}
+      fail-fast: false
+    steps:
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ matrix.image }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/test-v1.yml b/.github/workflows/test-v1.yml
index 232555e2d..c72160a60 100644
--- a/.github/workflows/test-v1.yml
+++ b/.github/workflows/test-v1.yml
@@ -80,17 +80,11 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-          check-latest: true
-
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2
 
       - name: Install yq
-        run: pip install yq
+        uses: dcarbone/install-yq-action@v1.1.1
 
       - name: Install ShellSpec
         run: |