diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 139aee7..bcc5423 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -139,6 +139,22 @@ jobs:
           crane tag  "${DST}:${APP_VER}" "latest"
           echo "Mirrored ${SRC} → ${DST}:{${APP_VER},${CHART_TAG},latest}"
 
+      - name: Trivy vulnerability scan
+        run: |
+          TRIVY_VER="0.58.2"
+          curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VER}/trivy_${TRIVY_VER}_Linux-64bit.tar.gz" \
+            | tar -xz -C /usr/local/bin trivy
+
+          APP_VER=$(grep '^appVersion:' fleetdm-stack/Chart.yaml | awk '{print $2}' | tr -d '"')
+          OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          IMAGE="git.produktor.io/${OWNER}/flamingo-tech-test:${APP_VER}"
+
+          export TRIVY_USERNAME="${{ gitea.actor }}"
+          export TRIVY_PASSWORD="${{ secrets.REPO_TOKEN }}"
+
+          echo "Scanning ${IMAGE} for vulnerabilities..."
+          trivy image --severity HIGH,CRITICAL --exit-code 0 "${IMAGE}"
+
       - name: Create tag
         run: |
           git config user.name "Gitea Actions"
diff --git a/README.md b/README.md
index 70cb7fa..bd68939 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,25 @@ For production, configure proper TLS and a stable DNS name for agents.
 1. **Basic CI pipeline** — Gitea Actions lint on push, release on tag (see [.github/workflows/release.yaml](.github/workflows/release.yaml))
 2. **Exposed Fleet UI** — `make port-forward` on port 8585 (+ ingress `fleet.localhost`)
 3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart
+4. **Container image mirroring** — CI mirrors the upstream `fleetdm/fleet` image to the [Gitea OCI registry](https://git.produktor.io/eSlider/-/packages) using `crane` (daemonless)
+5. **Trivy vulnerability scan** — Each release scans the mirrored image for HIGH/CRITICAL CVEs
+
+## Container Registry
+
+The CI pipeline mirrors the FleetDM image to the Gitea container registry on every release.
+
+```bash
+# Pull the latest mirrored image
+docker pull git.produktor.io/eslider/flamingo-tech-test:latest
+
+# Pull a specific app version
+docker pull git.produktor.io/eslider/flamingo-tech-test:4.80.1
+
+# Pull by chart release tag
+docker pull git.produktor.io/eslider/flamingo-tech-test:v0.0.10
+```
+
+Browse all available tags at [git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest](https://git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest).
 
 ## Project Structure
 
diff --git a/docs/architecture-design-company-inc.md b/docs/architecture-design-company-inc.md
index ad448cf..4ba0246 100644
--- a/docs/architecture-design-company-inc.md
+++ b/docs/architecture-design-company-inc.md
@@ -147,7 +147,7 @@ All container images are stored in **GCP Artifact Registry** in the `company-inc
 - **Image retention policy** — keep the latest 10 tagged images per service; automatically garbage-collect untagged manifests older than 30 days.
 - **Access control** — CI service account has `roles/artifactregistry.writer`; GKE node service accounts have `roles/artifactregistry.reader`. No human push access.
 
-*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost, with Trivy added as a CI step for vulnerability scanning.*
+*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost. In the practical part of this project, this is demonstrated: the CI pipeline mirrors the upstream FleetDM image to the Gitea OCI registry using `crane` (a daemonless image tool), then scans it with **Trivy** for HIGH/CRITICAL CVEs before publishing the release.*
 
 #### Deployment Pipelines (CI/CD Integration)
 
diff --git a/docs/architecture-hld.md b/docs/architecture-hld.md
index f1066a5..42eff06 100644
--- a/docs/architecture-hld.md
+++ b/docs/architecture-hld.md
@@ -29,7 +29,7 @@ flowchart TB
                     Blue[Blue — new release<br/>smoke tests]
                 end
                 subgraph Workloads
-                    API[Backend — Python / Flask<br/>HPA · 2–3 replicas]
+                    API[Backend — Python / Flask<br/>HPA · 2-3 replicas]
                     SPA[Frontend — React SPA<br/>Nginx]
                 end
                 Redis[Redis — Memorystore<br/>Session / Cache]
@@ -94,8 +94,9 @@ flowchart LR
 flowchart LR
     Dev[Developer] -->|push| Repo[Git Repo]
     Repo -->|webhook| CI[CI Pipeline<br/>lint · test · build]
-    CI -->|docker build + push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI]
-    CI -->|scan image| Trivy[Trivy<br/>CVE scan]
+    CI -->|crane copy / docker push| Registry[Container Registry<br/>Artifact Registry / Gitea OCI]
+    Registry -->|scan image| Trivy[Trivy<br/>HIGH + CRITICAL CVEs]
+    Trivy -->|pass| CI2[Publish Release]
     CI -->|update manifests| GitOps[GitOps Repo]
     GitOps -->|sync| Argo[ArgoCD]
     Argo -->|blue-green deploy| GKE[GKE Cluster]