diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
new file mode 100644
index 0000000000..f4c8500d88
--- /dev/null
+++ b/.github/workflows/compare-cves.yml
@@ -0,0 +1,33 @@
+name: Compare CVEs to main
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "cargo.toml"
+      - "cargo.lock"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - name: fetch main
+        run: git fetch origin main --depth 1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        run: "hack/check-vulnerabilities.sh"
diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
index 26c05a08c9..2851849bf7 100644
--- a/.github/workflows/scan-cves.yml
+++ b/.github/workflows/scan-cves.yml
@@ -6,12 +6,6 @@ permissions:
 on:
   schedule:
     - cron: "0 10 * * *"
-  pull_request:
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "cargo.toml"
-      - "cargo.lock"
 
 jobs:
   validate:
diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
new file mode 100755
index 0000000000..903e59a01a
--- /dev/null
+++ b/hack/check-vulnerabilities.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+MAIN_BRANCH="main"
+TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+echo "target branch is $TARGET_BRANCH"
+
+mkdir -p build
+
+git checkout $MAIN_BRANCH
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json
+
+git checkout $TARGET_BRANCH
+cat build/main-syft.json | grype -o template -t hack/compare.tmpl > build/main.json
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/compare.tmpl > build/target.json
+
+
+result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]')
+
+echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )"
+echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)"
+
+if [[ "$result" == "[]" ]]; then
+  echo "no new vulnerabilities on $TARGET_BRANCH"
+  exit 0
+else
+  echo "new CVEs have been added with IDs $result"
+  exit 1
+fi
diff --git a/hack/compare.tmpl b/hack/compare.tmpl
new file mode 100644
index 0000000000..469720459f
--- /dev/null
+++ b/hack/compare.tmpl
@@ -0,0 +1,7 @@
+[
+  {{- $length := len .Matches -}}
+  {{- range $index, $match := .Matches -}}
+  { "id": "{{$match.Vulnerability.ID}}", "severity": "{{$match.Vulnerability.Severity}}" }
+  {{ if lt (add $index 1) $length }},{{ end }}
+  {{- end -}}
+]