diff --git a/.github/workflows/end-to-end-test.yml b/.github/workflows/end-to-end-test.yml
index 4250dd74..72e9257c 100644
--- a/.github/workflows/end-to-end-test.yml
+++ b/.github/workflows/end-to-end-test.yml
@@ -61,6 +61,13 @@ jobs:
         sudo mv cosign /usr/local/bin/cosign
         which cosign
         cosign version
+        pushd $(mktemp -d)
+        curl -L https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz -o trivy.tar.gz
+        tar -xzvf trivy.tar.gz
+        sudo mv trivy /usr/local/bin/trivy
+        popd
+        which trivy
+        trivy version
         cd $GITHUB_WORKSPACE
 
     - name: Install go
diff --git a/tests/scripts/load_test_data.py b/tests/scripts/load_test_data.py
index ccddbc78..00e24cd7 100755
--- a/tests/scripts/load_test_data.py
+++ b/tests/scripts/load_test_data.py
@@ -85,10 +85,41 @@ def pull_modify_push_image(logger, registry, image_name, tag, cosign_password,
 
         with open(metafile) as f:
             image_metadata = json.load(f)
-            image_metadata[image_name][tag]["multiarch"] = multiarch
+            logger.debug("raw image metadata")
+            logger.debug(image_metadata)
+            image_metadata["multiarch"] = multiarch
+            image_metadata["cves"] = getCVEInfo(image_metadata.pop("trivy"))
 
+    logger.debug("processed image metadata")
+    logger.debug(image_metadata)
     return image_metadata
 
+def getCVEInfo(trivy_results):
+    cve_dict = {}
+
+    for result in trivy_results:
+        for vulnerability in result.get("Vulnerabilities", []):
+            cve_id = vulnerability["VulnerabilityID"]
+
+            package =  {
+                "PackageName": vulnerability.get("PkgName"),
+                "InstalledVersion": vulnerability.get("InstalledVersion"),
+                "FixedVersion": vulnerability.get("FixedVersion", "Not Specified")
+            }
+
+            if cve_dict.get(cve_id):
+                cve_dict[cve_id]["PackageList"].append(package)
+            else:
+                cve_dict[cve_id] = {
+                    "ID": cve_id,
+                    "Title": vulnerability.get("Title"),
+                    "Description": vulnerability.get("Description"),
+                    "Severity": vulnerability.get("Severity"),
+                    "PackageList": [package]
+                }
+
+    return cve_dict
+
 def main():
     args = parse_args()
 
@@ -137,7 +168,7 @@ def main():
             image_metadata = pull_modify_push_image(logger, registry, image_name, tag, cosign_password, multiarch, username, password, debug, data_dir)
 
             metadata.setdefault(image_name, {})
-            metadata[image_name][tag] = image_metadata[image_name][tag]
+            metadata[image_name][tag] = image_metadata
 
     with open(metadata_file, "w") as f:
         json.dump(metadata, f, indent=2)
diff --git a/tests/scripts/pull_update_push_image.sh b/tests/scripts/pull_update_push_image.sh
index 2f3122c0..ba9b3b12 100755
--- a/tests/scripts/pull_update_push_image.sh
+++ b/tests/scripts/pull_update_push_image.sh
@@ -125,6 +125,11 @@ function verify_prerequisites {
         return 1
     fi
 
+    if [ ! command -v trivy ] &>/dev/null; then
+        echo "you need to install trivy as a prerequisite" >&3
+        return 1
+    fi
+
     if [ ! command -v jq ] &>/dev/null; then
         echo "you need to install jq as a prerequisite" >&3
         return 1
@@ -160,6 +165,7 @@ doc=$(cat ${docker_docs_dir}/${image}/content.md)
 
 local_image_ref_skopeo=oci:${images_dir}:${image}-${tag}
 local_image_ref_regtl=ocidir://${images_dir}:${image}-${tag}
+local_image_ref_trivy=${images_dir}:${image}-${tag}
 remote_src_image_ref=docker://${image}:${tag}
 remote_dest_image_ref=${registry}/${image}:${tag}
 
@@ -209,13 +215,24 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
+trivy_out_file=trivy-${image}-${tag}.json
+if [ ! -z "${multiarch}" ]; then
+    trivy image --scanners vuln --format json --input ${local_image_ref_trivy} -o ${trivy_out_file}
+    jq -n --argfile trivy_file ${trivy_out_file}  '.trivy=$trivy_file.Results' > ${trivy_out_file}.tmp
+    mv ${trivy_out_file}.tmp ${trivy_out_file}
+else
+    echo '{"trivy":[]}' > ${trivy_out_file}
+fi
+
 # Sign new updated image
 COSIGN_PASSWORD=${cosign_password} cosign sign ${remote_dest_image_ref} --key ${cosign_key_path} --allow-insecure-registry
 if [ $? -ne 0 ]; then
     exit 1
 fi
 
-details=$(jq -n \
+details_file=details-${image}-${tag}.json
+
+jq -n \
     --arg org.opencontainers.image.title "${image}" \
     --arg org.opencontainers.image.description " $description" \
     --arg org.opencontainers.image.url "${repo}" \
@@ -223,7 +240,7 @@ details=$(jq -n \
     --arg org.opencontainers.image.licenses "${license}" \
     --arg org.opencontainers.image.vendor "${vendor}" \
     --arg org.opencontainers.image.documentation "${description}" \
-    '$ARGS.named'
-)
+    '$ARGS.named' > ${details_file}
 
-jq -n --arg image "${image}" --arg tag "${tag}"  --argjson details "${details}" '.[$image][$tag]=$details' > ${metafile}
+jq -c -s add ${details_file} ${trivy_out_file} > ${metafile}
+rm ${details_file} ${trivy_out_file}