diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index ec6fb1548bd04..058aab80e6149 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -12,6 +12,12 @@ on:
     - reopened
     - synchronize
 
+defaults:
+  run:
+    # This enables `-o pipefail` for all jobs as compared to when shell isn't set.
+    # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell
+    shell: bash
+
 jobs:
   define-job-matrix:
     outputs:
@@ -28,7 +34,13 @@ jobs:
         run: |
           source './scripts/ci/lib.sh'
 
-          matrix='{ "pre_build_go_binaries": { "name":[], "arch":[] }, "build_and_push_main": { "name":[], "arch":[] }, "push_main_multiarch_manifests": { "name":[] } }'
+          matrix='{
+            "pre_build_go_binaries": { "name":[], "arch":[] },
+            "build_and_push_main": { "name":[], "arch":[] },
+            "push_main_multiarch_manifests": { "name":[] },
+            "build_and_push_operator": { "name":[] },
+            "scan_images_with_roxctl": { "name":[], "image":[], "exclude":[] }
+          }'
 
           # The base matrix
           matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")"
@@ -39,6 +51,13 @@ jobs:
 
           matrix="$(jq '.push_main_multiarch_manifests.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"
 
+          matrix="$(jq '.build_and_push_operator.name += ["RHACS_BRANDING"]' <<< "$matrix")"
+
+          matrix="$(jq '.scan_images_with_roxctl.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"
+          matrix="$(jq '.scan_images_with_roxctl.image += ["central-db", "collector", "collector-slim", "main", "roxctl", "scanner", "scanner-db", "scanner-db-slim", "scanner-slim", "stackrox-operator"]' <<< "$matrix")"
+          # TODO(ROX-27191): remove the exclusion once there's a community operator.
+          matrix="$(jq '.scan_images_with_roxctl.exclude += [{ "name": "STACKROX_BRANDING", "image": "stackrox-operator" }]' <<< "$matrix")"
+
           if ! is_in_PR_context || pr_has_label ci-build-all-arch; then
             matrix="$(jq '.pre_build_go_binaries.arch += ["ppc64le", "s390x"]' <<< "$matrix")"
             matrix="$(jq '.build_and_push_main.arch += ["ppc64le", "s390x"]' <<< "$matrix")"
@@ -592,6 +611,8 @@ jobs:
 
   build-and-push-operator:
     runs-on: ubuntu-latest
+    needs:
+      - define-job-matrix
     container:
       image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
       env:
@@ -599,10 +620,9 @@ jobs:
         QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
         QUAY_RHACS_ENG_BEARER_TOKEN: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }}
     strategy:
-      matrix:
-        branding: [ RHACS_BRANDING ]
+      matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_operator }}
     env:
-      ROX_PRODUCT_BRANDING: ${{ matrix.branding }}
+      ROX_PRODUCT_BRANDING: ${{ matrix.name }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -726,8 +746,10 @@ jobs:
         directory: 'junit-reports'
 
   scan-images-with-roxctl:
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' ||
+      contains(github.event.pull_request.labels.*.name, 'scan-images-with-roxctl')
     needs:
+      - define-job-matrix
       - build-and-push-main
       - build-and-push-operator
       - push-main-manifests
@@ -739,20 +761,7 @@ jobs:
       security-events: write
     strategy:
       fail-fast: false
-      matrix:
-        image:
-          [
-            "central-db",
-            "collector",
-            "collector-slim",
-            "main",
-            "roxctl",
-            "scanner",
-            "scanner-db",
-            "scanner-db-slim",
-            "scanner-slim",
-            "stackrox-operator",
-          ]
+      matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).scan_images_with_roxctl }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -779,14 +788,16 @@ jobs:
 
       - name: Scan images for vulnerabilities
         run: |
-          release_tag=$(make tag)
-          if [[ ${{ matrix.image }} =~ "operator" ]]; then
-            release_tag=$(make -C operator --silent tag)
+          release_tag="$(make --quiet --no-print-directory tag)"
+          if [[ "${{ matrix.image }}" =~ "operator" ]]; then
+            release_tag="$(make -C operator --quiet --no-print-directory tag)"
           fi
+
+          registry="$(./scripts/ci/lib.sh registry_from_branding "${{ matrix.name }}")"
+
           roxctl image scan --retries=10 --retry-delay=15 --force --severity=CRITICAL,IMPORTANT --output=sarif \
-            --image="quay.io/rhacs-eng/${{ matrix.image }}:${release_tag}" \
-            > results.sarif
-          cat results.sarif
+            --image="${registry}/${{ matrix.image }}:${release_tag}" \
+            | tee results.sarif
 
       # TODO: re-enable roxctl scan results upload once quota issue has been resolved
       # - name: Upload roxctl scan results to GitHub Security tab