diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml
index 3bba363da..ee4a5b145 100644
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@@ -36,8 +36,16 @@ jobs:
         shell: bash
         run: |
           readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
-          echo "${TAGS_ARRAY[0]},${TAGS_ARRAY[1]},${TAGS_ARRAY[2]}"
-          TAGS_JSON="[\"${TAGS_ARRAY[0]}\",\"${TAGS_ARRAY[1]}\",\"${TAGS_ARRAY[2]}\"]"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
           echo "${TAGS_JSON}"
           echo "::set-output name=TAGS::${TAGS_JSON}"
 
@@ -57,7 +65,7 @@ jobs:
       id: scan
       uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 #v0.5.1
       with:
-        image-ref: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}
+        image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
         format: 'sarif'
         output: trivy-results-${{ matrix.versions }}.sarif
         exit-code: 0