diff --git a/.github/workflows/cd-app.yml b/.github/workflows/cd-app.yml
index b39fa1a8..772fe3db 100644
--- a/.github/workflows/cd-app.yml
+++ b/.github/workflows/cd-app.yml
@@ -14,10 +14,6 @@ on:
   #     - "infra/**"
   workflow_dispatch:
     inputs:
-      app_name:
-        description: "name of application folder under infra directory"
-        required: true
-        type: string
       environment:
         description: "target environment"
         required: true
@@ -32,5 +28,5 @@ jobs:
     name: Deploy
     uses: ./.github/workflows/deploy.yml
     with:
-      app_name: ${{ inputs.app_name || 'app' }}
+      app_name: "app"
       environment: ${{ inputs.environment || 'dev' }}
diff --git a/.github/workflows/ci-app-vulnerability-scans.yml.yml b/.github/workflows/ci-app-vulnerability-scans.yml.yml
new file mode 100644
index 00000000..ffcc5522
--- /dev/null
+++ b/.github/workflows/ci-app-vulnerability-scans.yml.yml
@@ -0,0 +1,26 @@
+name: CI Vulnerability Scans
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app"
diff --git a/.github/workflows/ci-vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml
similarity index 80%
rename from .github/workflows/ci-vulnerability-scans.yml
rename to .github/workflows/vulnerability-scans.yml
index c39f2ee3..53e5968f 100644
--- a/.github/workflows/ci-vulnerability-scans.yml
+++ b/.github/workflows/vulnerability-scans.yml
@@ -3,28 +3,15 @@
 
 # NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
 #       A future PR will pass the image between the scans to reduce overhead and increase speed
-name: CI Vulnerability Scans
+name: Vulnerability Scans
 
 on:
-  push:
-    branches:
-      - main
-    paths:
-      - app/**
-      - .grype.yml
-      - .hadolint.yaml
-      - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
-  pull_request:
-    paths:
-      - app/**
-      - .grype.yml
-      - .hadolint.yaml
-      - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
-
-env:
-  APP_NAME: app
+  workflow_call:
+    inputs:
+      app_name:
+        description: "name of application folder under infra directory"
+        required: true
+        type: string
 
 jobs:
   hadolint-scan:
@@ -37,7 +24,7 @@ jobs:
       - name: Scan Dockerfile by hadolint
         uses: hadolint/hadolint-action@v3.1.0
         with:
-          dockerfile: ${{ env.APP_NAME }}/Dockerfile
+          dockerfile: ${{ inputs.app_name }}/Dockerfile
           format: tty
           failure-threshold: warning
           output-file: hadolint-results.txt
@@ -55,8 +42,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
@@ -85,8 +72,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
@@ -109,8 +96,8 @@ jobs:
       - name: Build and tag Docker image for scanning
         id: build-image
         run: |
-          make APP_NAME=${{ env.APP_NAME }} release-build
-          IMAGE_NAME=$(make APP_NAME=${{ env.APP_NAME }} release-image-name)
+          make APP_NAME=${{ inputs.app_name }} release-build
+          IMAGE_NAME=$(make APP_NAME=${{ inputs.app_name }} release-image-name)
           IMAGE_TAG=$(make release-image-tag)
           echo "image=$IMAGE_NAME:$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
diff --git a/.grype.yml b/.grype.yml
index 60117112..9fe419a0 100644
--- a/.grype.yml
+++ b/.grype.yml
@@ -16,3 +16,5 @@ ignore:
   - fix-state: not-fixed
   - fix-state: wont-fix
   - fix-state: unknown
+  # https://github.com/anchore/grype/issues/1172
+  - vulnerability: GHSA-xqr8-7jwr-rhp7