diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 22777bbd..ff79cf71 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -17,6 +17,9 @@ jobs:
   test:
     uses: ./.github/workflows/test.yml
 
+  scan:
+    uses: ./.github/workflows/scan.yml
+
   pull-request:
     needs: test
     name: Pull request success
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 605c7706..d64500d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,10 +34,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '11'
-          cache: 'gradle'
-      - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@v3
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Push to registry ${{ matrix.publish_target }}
         run: |
           set -xev
@@ -69,10 +66,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: '11'
-          cache: 'gradle'
-      - name: Validate Gradle wrapper
-        uses: gradle/actions/wrapper-validation@v3
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Build the dependencies needed for the image
         run: ./gradlew :fabric-chaincode-docker:copyAllDeps
       - name: Set up QEMU
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 00000000..e87983eb
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,33 @@
+name: "Scheduled vulnerability scan"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: Branch, tag or SHA to scan.
+        type: string
+        required: false
+        default: ""
+
+permissions:
+  contents: read
+
+jobs:
+  osv-scanner:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 11
+      - uses: gradle/actions/setup-gradle@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+      - name: Scan
+        run: make scan
diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
index c303b270..ac8b3ca7 100644
--- a/.github/workflows/scheduled-scan.yml
+++ b/.github/workflows/scheduled-scan.yml
@@ -1,6 +1,9 @@
 name: "Scheduled vulnerability scan"
 
 on:
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: "20 3 * * *"
   workflow_dispatch:
@@ -9,13 +12,18 @@ permissions:
   contents: read
 
 jobs:
-  osv-scanner:
+  latest-release-version:
+    name: Get latest release tag
     runs-on: ubuntu-latest
+    outputs:
+      tag_name: ${{ steps.tag-name.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Scan
-        run: make scan
+      - id: tag-name
+        run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
+
+  scan:
+    name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
+    needs: latest-release-version
+    uses: ./.github/workflows/scan.yml
+    with:
+      ref: ${{ needs.latest-release-version.outputs.tag_name }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3e057986..7ae6e959 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ name: Test
 on:
   workflow_call:
     inputs:
-      checkout-ref:
+      ref:
         default: ''
         required: false
         type: string
@@ -18,14 +18,12 @@ jobs:
     steps:
     - uses: actions/checkout@v4
       with:
-        ref: ${{ inputs.checkout-ref }}
+        ref: ${{ inputs.ref }}
     - uses: actions/setup-java@v4
       with:
         distribution: temurin
         java-version: 11
-    - name: Validate Gradle wrapper
-      uses: gradle/actions/wrapper-validation@v3
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
     - name: Build and Unit test
       run: ./gradlew :fabric-chaincode-shim:build 
 
@@ -34,11 +32,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.checkout-ref }}
+          ref: ${{ inputs.ref }}
       - uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
+      - uses: gradle/actions/setup-gradle@v4
       - name: Populate chaincode with latest java-version
         run: |
           ./gradlew -I $GITHUB_WORKSPACE/fabric-chaincode-integration-test/chaincodebootstrap.gradle -PchaincodeRepoDir=$GITHUB_WORKSPACE/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/repository publishShimPublicationToFabricRepository
@@ -58,7 +57,6 @@ jobs:
         run: |
           peer version
           weft --version
-      - uses: gradle/actions/setup-gradle@v3
       - name: Integration Tests
         run: ./gradlew :fabric-chaincode-integration-test:build
 
@@ -67,11 +65,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.checkout-ref }}
+          ref: ${{ inputs.ref }}
       - uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 11
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
       - name: Build Docker image
         run: ./gradlew :fabric-chaincode-docker:buildImage