diff --git a/.tekton/pipeline-service-images-test.yaml b/.tekton/pipeline-service-images-test.yaml
new file mode 100644
index 000000000..7faf7d7d1
--- /dev/null
+++ b/.tekton/pipeline-service-images-test.yaml
@@ -0,0 +1,72 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: docker-images-test
+  annotations:
+    pipelinesascode.tekton.dev/on-event: "[pull_request, push]"
+    pipelinesascode.tekton.dev/on-target-branch: "[refs/heads/*]"
+    pipelinesascode.tekton.dev/task: "[git-clone, buildah]"
+    pipelinesascode.tekton.dev/max-keep-runs: "5"
+spec:
+  timeouts:
+    pipeline: "0h20m0s"
+    tasks: "0h5m0s"
+  params:
+    - name: repo_url
+      value: "{{ repo_url }}"
+    - name: revision
+      value: "{{ revision }}"
+  pipelineSpec:
+    params:
+      - name: repo_url
+      - name: revision
+    workspaces:
+      - name: source
+    tasks:
+      - name: fetch-repository
+        taskRef:
+          name: git-clone
+        workspaces:
+          - name: output
+            workspace: source
+        params:
+          - name: url
+            value: $(params.repo_url)
+          - name: revision
+            value: $(params.revision)
+      - name: build-images
+        runAfter:
+          - fetch-repository
+        workspaces:
+          - name: source
+            workspace: source
+        taskSpec:
+          workspaces:
+            - name: source
+          volumes:
+            - emptyDir: {}
+              name: varlibcontainers
+          steps:
+            - name: test-build-images
+              image: registry.redhat.io/ubi9/buildah@sha256:32dba51af7790d4f067ff0bc37e46a2f583f093106176a4e48573623d144a9dc
+              imagePullPolicy: Always
+              securityContext:
+                capabilities:
+                  add:
+                    - SETFCAP
+              volumeMounts:
+                - mountPath: /var/lib/containers
+                  name: varlibcontainers
+              workingDir: $(workspaces.source.path)
+              script: |
+                developer/hack/build-images-buildah.sh
+  workspaces:
+    - name: source
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
diff --git a/developer/hack/build-images-buildah.sh b/developer/hack/build-images-buildah.sh
new file mode 100755
index 000000000..fa696f627
--- /dev/null
+++ b/developer/hack/build-images-buildah.sh
@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+set -x
+
+SCRIPT_DIR="$(
+  cd "$(dirname "$0")" >/dev/null
+  pwd
+)"
+PROJECT_DIR="$(
+  cd "$SCRIPT_DIR/../.." >/dev/null || exit 1
+  pwd
+)"
+export PROJECT_DIR
+
+parse_args() {
+  mapfile -t DEFAULT_IMAGE_DIRS < <(
+    find "$PROJECT_DIR" -type f -name Dockerfile -exec dirname {} \; |
+      sed "s:$PROJECT_DIR/::" |
+      grep --invert-match --extended-regexp "/developer/exploration/|.devcontainer" |
+      sort
+  )
+  IMAGE_DIRS=()
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+    -i | --image)
+      shift
+      if [ ! -d "$1" ]; then
+        echo "[ERROR] Directory does not exists: $1" >&2
+        exit 1
+      else
+        if [ ! -e "$1/Dockerfile" ]; then
+          echo "[ERROR] Dockerfile not found in '$1'" >&2
+          exit 1
+        fi
+      fi
+      IMAGE_DIRS+=("$1")
+      ;;
+    -t | --tag)
+      shift
+      TAG="$1"
+      ;;
+    -d | --debug)
+      set -x
+      DEBUG="--debug"
+      export DEBUG
+      ;;
+    -h | --help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown argument: $1"
+      usage
+      exit 1
+      ;;
+    esac
+    shift
+  done
+}
+
+init() {
+  TAG=${TAG:-latest}
+  if [ -z "${IMAGE_DIRS[*]}" ]; then
+    IMAGE_DIRS=("${DEFAULT_IMAGE_DIRS[@]}")
+  fi
+}
+
+build_image() {
+  echo "[$image_dir]"
+  image_name=$(basename "$image_dir")
+  # for debugging: if image_name != "devenv", then skip
+  if [ "$image_name" != "devenv" ]; then
+    return
+  fi
+  case "$image_name" in
+  quay-upload|vulnerability-scan)
+    context="$image_dir"
+    ;;
+  *)
+    context="$PROJECT_DIR"
+    ;;
+  esac
+
+  buildah --storage-driver=vfs bud --format=oci \
+    --log-level debug \
+    --tls-verify=true --no-cache \
+    -f "$image_dir/Dockerfile" --tag "$image_name:$TAG" "$context"
+  echo
+}
+
+main() {
+  if [ -n "${DEBUG:-}" ]; then
+    set -x
+  fi
+  parse_args "$@"
+  init
+  for image_dir in "${IMAGE_DIRS[@]}"; do
+    build_image
+  done
+}
+
+if [ "${BASH_SOURCE[0]}" == "$0" ]; then
+  main "$@"
+fi
diff --git a/developer/images/devenv/Dockerfile b/developer/images/devenv/Dockerfile
index 75ec821bf..d31d316c2 100644
--- a/developer/images/devenv/Dockerfile
+++ b/developer/images/devenv/Dockerfile
@@ -4,19 +4,18 @@ RUN set -x \
     && mkdir -p /tmp/image-build \
     && dnf install -y \
         # gcc is needed when installing checkov's dependencies
-        gcc-c++-13.1.1 \
-        git-2.40.1 \
+        gcc-c++-13.2.1 \
+        git-2.41.0 \
         openssl-3.0.9 \
         procps-ng-3.3.17 \
         # python3-devl is needed when installing checkov's dependencies
-        python3-devel-3.11.3 \
+        python3-devel-3.11.4 \
         rsync-3.2.7 \
         unzip-6.0 \
         which-2.21 \
         xz-5.4.1 \
     && dnf clean all \
-    && sed -i -e "s:podman:root:" /etc/subuid /etc/subgid \
-    && podman system migrate
+    && sed -i -e "s:podman:root:" /etc/subuid /etc/subgid 
 COPY shared /tmp/image-build/shared
 RUN /tmp/image-build/shared/hack/install.sh --debug --bin argocd,bitwarden,checkov,hadolint,jq,kind,kubectl,oc,shellcheck,tkn,yamllint,yq \
     && rm -rf /tmp/image-build