diff --git a/.github/workflows/build_test_images.yaml b/.github/workflows/build_test_images.yaml
index ed308b5..fdf99f2 100644
--- a/.github/workflows/build_test_images.yaml
+++ b/.github/workflows/build_test_images.yaml
@@ -64,11 +64,20 @@ jobs:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: mount qcow2 file
+        shell: |
+          sudo apt-get -y install libguestfs-tools
+          sudo mkdir -p /mnt/${{ steps.publish-image.outputs.image-name }}
+          sudo guestmount -a ${{ steps.publish-image.outputs.image-name }}.qcow2 -i /mnt/${{ steps.publish-image.outputs.image-name }}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.17.0
         with:
-          scan-type: vm
-          scan-ref: ${{ steps.publish-image.outputs.image-name }}.qcow2
+          scan-type: fs
+          scan-ref: "/mnt/${{ steps.publish-image.outputs.image-name }}"
           format: sarif
           output: trivy-results.sarif
           ignore-unfixed: true
diff --git a/bin/setup b/bin/setup
index ac57925..9900feb 100755
--- a/bin/setup
+++ b/bin/setup
@@ -20,6 +20,3 @@ ansible-galaxy install -f -r "$REPO_ROOT/requirements.yml"
 
 # Initialise Packer plugins
 packer init "$REPO_ROOT/config.pkr.hcl"
-
-# Add package to help mount qcow2 files
-sudo apt-get -y install libguestfs-tools