diff --git a/.github/workflows/ci-schedule-imagescanning.yaml b/.github/workflows/ci-schedule-imagescanning.yaml
new file mode 100644
index 000000000000..6ef03cedbb55
--- /dev/null
+++ b/.github/workflows/ci-schedule-imagescanning.yaml
@@ -0,0 +1,163 @@
+name: image-scanning-on-schedule
+on:
+  push:
+  schedule:
+    # Run this workflow "At 20:00 UTC on Sunday and Saturday"
+    - cron: '0 20 * * 0,6'
+
+jobs:
+  use-trivy-to-scan-image1:
+    name: release-1.5
+    if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        target:
+          - karmada-controller-manager
+          - karmada-scheduler
+          - karmada-descheduler
+          - karmada-webhook
+          - karmada-agent
+          - karmada-scheduler-estimator
+          - karmada-interpreter-webhook-example
+          - karmada-aggregated-apiserver
+          - karmada-search
+          - karmada-operator        
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: release-1.5
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19.5
+      - name: Build an image from Dockerfile
+        run: |
+          export VERSION="v1.5.0"
+          export REGISTRY="karmada"
+          make image-${{ matrix.target }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.5.0'
+          format: 'sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          output: 'trivy-results-${{ matrix.target }}-release-1.5.sarif'
+      - name: display scan results
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.5.0'
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-${{ matrix.target }}-release-1.5.sarif' 
+  use-trivy-to-scan-image2:
+    name: release-1.6
+    if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        target:
+          - karmada-controller-manager
+          - karmada-scheduler
+          - karmada-descheduler
+          - karmada-webhook
+          - karmada-agent
+          - karmada-scheduler-estimator
+          - karmada-interpreter-webhook-example
+          - karmada-aggregated-apiserver
+          - karmada-search
+          - karmada-operator  
+          - karmada-metrics-adapter      
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: release-1.6
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.5
+      - name: Build an image from Dockerfile
+        run: |
+          export VERSION="v1.6.0"
+          export REGISTRY="karmada"
+          make image-${{ matrix.target }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.6.0'
+          format: 'sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          output: 'trivy-results-${{ matrix.target }}-release-1.6.sarif'
+      - name: display scan results
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.6.0'
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-${{ matrix.target }}-release-1.6.sarif'
+  use-trivy-to-scan-image3:
+    name: release-1.7
+    if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        target:
+          - karmada-controller-manager
+          - karmada-scheduler
+          - karmada-descheduler
+          - karmada-webhook
+          - karmada-agent
+          - karmada-scheduler-estimator
+          - karmada-interpreter-webhook-example
+          - karmada-aggregated-apiserver
+          - karmada-search
+          - karmada-operator  
+          - karmada-metrics-adapter      
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: release-1.7
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.6
+      - name: Build an image from Dockerfile
+        run: |
+          export VERSION="v1.7.0"
+          export REGISTRY="karmada"
+          make image-${{ matrix.target }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.7.0'
+          format: 'sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          output: 'trivy-results-${{ matrix.target }}-release-1.7.sarif'
+      - name: display scan results
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: 'karmada/${{ matrix.target }}:v1.7.0'
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-${{ matrix.target }}-release-1.7.sarif'