diff --git a/.github/workflows/push-image-scan.yml b/.github/workflows/push-image-scan.yml
index 86d7dfa..9c75a9b 100644
--- a/.github/workflows/push-image-scan.yml
+++ b/.github/workflows/push-image-scan.yml
@@ -1,4 +1,6 @@
 name: Image Vulnerability Scan
+# Secrets can only viewed in "push" events. Not pull_request events.
+# That's why this step needs to be called on push, and not on pull_request (to read docker login password).
 
 on:
   workflow_call: