diff --git a/.github/workflows/test-scan-apk.yaml b/.github/workflows/test-scan-apk.yaml
new file mode 100644
index 0000000..e757c65
--- /dev/null
+++ b/.github/workflows/test-scan-apk.yaml
@@ -0,0 +1,40 @@
+name: test-scan-apk
+
+on: [pull_request]
+
+jobs:
+  test-unpinned:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: ./scan-apk
+      id: scan
+      with:
+        package: ko
+    - run: echo ${{ steps.scan.outputs.vuln-count }}
+
+  test-pinned:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: ./scan-apk
+      id: scan
+      with:
+        package: ko=0.13.0-r4
+    - run: echo ${{ steps.scan.outputs.vuln-count }}
+
+  test-alpine:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: ./scan-apk
+      id: scan
+      with:
+        repositories: https://dl-cdn.alpinelinux.org/alpine/edge/main
+        keyring: ""
+        package: busybox
+    - run: echo ${{ steps.scan.outputs.vuln-count }}
+
diff --git a/scan-apk/README.md b/scan-apk/README.md
new file mode 100644
index 0000000..e47ed1f
--- /dev/null
+++ b/scan-apk/README.md
@@ -0,0 +1,14 @@
+# Scan an APK for Vulnerabilities
+
+This action uses apko to build an ephemeral image and scan it with
+[Anchore/Grype](https://github.com/anchore/grype) to identify any
+vulnerabilities.
+
+
+## Usage
+
+```yaml
+  - uses: chainguard-images/actions/scan-apk@main
+    with:
+      package: foo # or foo=1.2.3-r4
+```
diff --git a/scan-apk/action.yaml b/scan-apk/action.yaml
new file mode 100644
index 0000000..4ba3b6e
--- /dev/null
+++ b/scan-apk/action.yaml
@@ -0,0 +1,78 @@
+# Copyright 2022 The Distroless Authors
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Scan APK for vulnerabilities'
+description: |
+  This action scans an APK for vulnerabilities by turning it into an OCI image first.
+
+inputs:
+
+  repositories:
+    description: |
+      A comma-delimited list of APK repositories to include.
+    required: false
+    default: https://packages.wolfi.dev/os
+
+  keyring:
+    description: |
+      A comma-delimited list of APK keyrings to include.
+    required: false
+    default: https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+
+  package:
+    description: |
+      The APK to scan for vulnerabilities.
+    required: true
+
+  architecture:
+    description: |
+      The architecture to scan the package for vulnerabilities.
+    required: false
+    default: "x86_64"
+
+outputs:
+  vuln-count:
+    description: Number of vulnerables in Grype scan
+    value: ${{ steps.scan-report.outputs.vuln-count }}
+
+runs:
+  using: composite
+  steps:
+    - uses: chainguard-dev/actions/setup-registry@main
+      with:
+        port: 1234
+
+    - shell: bash
+      id: mkconfig
+      run: |
+        TMP=$(mktemp)
+
+        cat > "${TMP}" <<EOF
+        contents:
+          repositories: $(echo "${{ inputs.repositories }}" | tr -d '[:space:]' | jq --raw-input -c --slurp 'split(",")')
+          keyring: $(echo "${{ inputs.keyrings }}" | tr -d '[:space:]' | jq --raw-input -c --slurp 'split(",")')
+          packages:
+          - ${{ inputs.package }}
+
+        archs:
+        - ${{ inputs.architecture }}
+        EOF
+
+        echo "::set-output name=config-file::${TMP}"
+
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: ${{ steps.mkconfig.outputs.config-file }}
+        tag: localhost:1234/apk-scan
+
+    - id: grype-scan
+      uses: anchore/scan-action@ecfd0e98932e57ea8f68f29c4f418fc41a8194db
+      with:
+        image: localhost:1234/apk-scan
+        fail-build: false
+        severity-cutoff: low
+
+    - id: scan-report
+      shell: bash
+      run: |
+        echo "::set-output name=vuln-count::$(cat ${{ steps.grype-scan.outputs.sarif }} | jq '.runs[0].results | length')"