Trivy for docker image scanning: https://github.com/aquasecurity/trivy
Snyk misses some stuff and there was one occasion where customers found a vulnerability that we hadn't seen. It is worth integrating such a check into our release process for added confidence.
The Zeebe controller repo has this integrated already. Maybe we can learn/copy something here.
The trivy check should get triggered when the pipeline does the smoketest for docker when merging to master