diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 58e16ecf..4d2cbb23 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -71,5 +71,7 @@ jobs:
             perstack/perstack:${{ steps.version.outputs.major_minor }}
             ${{ steps.version.outputs.is_release == 'true' && 'perstack/perstack:latest' || '' }}
             perstack/perstack:sha-${{ github.sha }}
+          sbom: true
+          provenance: mode=max
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/docker/Dockerfile b/docker/Dockerfile
index f734ba95..32fb6592 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -57,10 +57,14 @@ FROM ubuntu:24.04
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       ca-certificates curl jq && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/* && \
+    useradd -m -s /bin/bash perstack
 
 COPY --from=build /app/out/perstack /usr/local/bin/perstack
 
 WORKDIR /workspace
+RUN chown perstack:perstack /workspace
+
+USER perstack
 
 ENTRYPOINT ["perstack"]