For each Client we use a similar buildflow, building and pushing a "soft" image with packagemanager and with non breaking security scan (with the results available under /scan_results in the container), and creating a signed and (this time breaking) vulnerability scanned dockerfile.
