diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c37cb64..9a31c9a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -136,9 +136,17 @@ jobs:
         with:
           push: true
           context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: |
+          tags: |-
+            ${{ steps.meta.outputs.tags }}
+          labels: |-
             ${{ steps.meta.outputs.labels }}
+          build-args: |-
+            COMMIT_SHA=${{ github.sha }}
+            GITHUB_TAG=${{ github.ref_name }}
+            GIT_COMMIT=${{ github.sha }}
+            GIT_TAG=${{ github.ref_name }}
+          provenance: mode=max
+          sbom: true
           platforms: linux/amd64,linux/arm64,linux/arm
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index cd3a934..c1737b2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,7 @@
 FROM alpine:edge AS dist
 ARG TARGETARCH TARGETOS
+ARG NONROOT_UID=65532
+ARG NONROOT_GID=65532
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache ca-certificates
@@ -8,10 +10,24 @@ RUN apk add --no-cache ca-certificates
 COPY dist/registryproxy_${TARGETOS}_${TARGETARCH}_*/registryproxy* /
 RUN chmod +x /registryproxy;
 
+# create the 'nonroot' account
+RUN set -eux; \
+  etc_build="/build/etc"; \
+  mkdir -p "$etc_build"; \
+  writeto() { output_file=$1; shift; printf '%s\n' "$*" >>"$output_file"; }; \
+  writeto "${etc_build}/passwd"  "nonroot:x:${NONROOT_UID}:${NONROOT_GID}:nonroot:/home/nonroot:/sbin/nologin"; \
+  writeto "${etc_build}/shadow"  "nonroot:*:18313:0:99999:7:::"; \
+  writeto "${etc_build}/group"   "nonroot:x:${NONROOT_GID}:"; \
+  writeto "${etc_build}/gshadow" "nonroot:::"; \
+  :
+
 FROM scratch
 LABEL maintainer="Backplane BV <backplane@users.noreply.github.com>"
 
+COPY --from=dist /build/etc/* /etc/
 COPY --from=dist /etc/ssl /etc/ssl/
 COPY --from=dist /registryproxy /
 
+USER nonroot
+
 ENTRYPOINT [ "/registryproxy" ]