diff --git a/ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml b/ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml
index 38425a0edeb4..775bf4347be8 100644
--- a/ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml
+++ b/ci-operator/config/openshift/backplane-cli/openshift-backplane-cli-main.yaml
@@ -7,7 +7,7 @@ build_root:
   image_stream_tag:
     name: release
     namespace: openshift
-    tag: golang-1.18
+    tag: golang-1.19
 images:
 - dockerfile_path: Dockerfile
   from: base
@@ -28,6 +28,11 @@ tests:
     make test
   container:
     from: src
+- as: scan
+  commands: make scan
+  container:
+    from: src
+  optional: true
 - as: build
   commands: |
     make build
diff --git a/ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml b/ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml
index 1c12918aaf75..db90703da252 100644
--- a/ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/backplane-cli/openshift-backplane-cli-main-presubmits.yaml
@@ -203,6 +203,56 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )lint,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build03
+    context: ci/prow/scan
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-backplane-cli-main-scan
+    optional: true
+    rerun_command: /test scan
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=scan
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )scan,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches: