diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 228176d217..13a51cf36c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -91,6 +91,7 @@ jobs:
           - test-go-redirects
           - dockerfile-lint
           - path-warnings
+          - validate-vendor
     steps:
       -
         name: Set up Docker Buildx
diff --git a/Dockerfile b/Dockerfile
index 0fbed160d3..26ec7f74e2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,7 +14,8 @@ RUN apk add --no-cache \
     git \
     nodejs \
     npm \
-    gcompat
+    gcompat \
+    rsync
 
 # npm downloads Node.js dependencies
 FROM base AS npm
@@ -87,6 +88,22 @@ FROM scratch AS vendor
 COPY --from=update-modules /project/_vendor /_vendor
 COPY --from=update-modules /project/go.* /
 
+FROM base AS validate-vendor
+RUN --mount=target=/context \
+  --mount=type=bind,from=vendor,target=/out \
+  --mount=target=.,type=tmpfs <<EOT
+set -e
+rsync -a /context/. .
+git add -A
+rm -rf _vendor
+cp -rf /out/* .
+if [ -n "$(git status --porcelain -- go.mod go.sum _vendor)" ]; then
+  echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make vendor"'
+  git status --porcelain -- go.mod go.sum _vendor
+  exit 1
+fi
+EOT
+
 # build-upstream builds an upstream project with a replacement module
 FROM build-base AS build-upstream
 # UPSTREAM_MODULE_NAME is the canonical upstream repository name and namespace (e.g. moby/buildkit)
diff --git a/docker-bake.hcl b/docker-bake.hcl
index dbbf1d568c..5ae1ccbf7a 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -36,7 +36,7 @@ target "release" {
 }
 
 group "validate" {
-  targets = ["lint", "test", "unused-media", "test-go-redirects", "dockerfile-lint", "path-warnings"]
+  targets = ["lint", "test", "unused-media", "test-go-redirects", "dockerfile-lint", "path-warnings", "validate-vendor"]
 }
 
 target "test" {
@@ -157,6 +157,11 @@ target "vendor" {
   provenance = false
 }
 
+target "validate-vendor" {
+  target = "validate-vendor"
+  output = ["type=cacheonly"]
+}
+
 variable "UPSTREAM_MODULE_NAME" {
   default = null
 }