diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 56abe694d9..f8cb3edc89 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM alpine:3.18.3
+FROM alpine:3.20.0
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
index 711d4a5837..063dfdff91 100644
--- a/.docker/Dockerfile-build
+++ b/.docker/Dockerfile-build
@@ -19,7 +19,7 @@ RUN go build -o /usr/bin/oathkeeper .
 
 #########################
 
-FROM gcr.io/distroless/static-debian11:nonroot AS runner
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
 COPY --from=builder --chown=nonroot:nonroot /usr/bin/oathkeeper /usr/bin/oathkeeper
 
diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
index 91020b7c27..8bcb1a9e77 100644
--- a/.docker/Dockerfile-distroless-static
+++ b/.docker/Dockerfile-distroless-static
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
 
 COPY --chown=nonroot:nonroot oathkeeper /usr/bin/oathkeeper
 EXPOSE 4455 4456
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
index 4d99e53056..87360e02bf 100644
--- a/.github/workflows/cve-scan.yaml
+++ b/.github/workflows/cve-scan.yaml
@@ -48,6 +48,15 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: oryd/oathkeeper:${{ env.SHA_SHORT }}
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}