diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index 0b8e8019df..5e974f0f85 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -76,7 +76,7 @@ jobs:
         go-version-file: "go.mod"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+      uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       with:
         image: tonistiigi/binfmt:latest
         platforms: arm64,arm
@@ -146,7 +146,7 @@ jobs:
     - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image"
       id: build
       if: contains(fromJson('["push", "pull_request"]'), github.event_name)
-      uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
       with:
         cache-from: type=gha
         cache-to: type=gha,mode=max
@@ -213,7 +213,7 @@ jobs:
 
       - name: "Build and load into Docker"
         if: contains(fromJson('["push", "pull_request"]'), github.event_name)
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/.github/workflows/testing-env-image.yml b/.github/workflows/testing-env-image.yml
index 44008e8a8b..ebafe7eb4c 100644
--- a/.github/workflows/testing-env-image.yml
+++ b/.github/workflows/testing-env-image.yml
@@ -43,7 +43,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+      uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       with:
         image: tonistiigi/binfmt:latest
         platforms: arm64,arm
@@ -60,7 +60,7 @@ jobs:
 
     - run: echo "TODAY=$(date +"%Y.%m.%d")" >> $GITHUB_ENV
     - name: Build and push testing-env:${{env.TODAY}} image
-      uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+      uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
       with:
         cache-from: type=gha
         cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index ed8d0b5fe7..e9f2f13702 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1@sha256:93bfd3b68c109427185cd78b4779fc82b484b0b7618e36d0f104d4d801e66d25
 # what distro is the image being built for
-ARG ALPINE_TAG=3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45
+ARG ALPINE_TAG=3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
 ARG DEBIAN_TAG=12.8-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb
 ARG GOLANG_TAG=1.23.4-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812
 
@@ -155,7 +155,7 @@ COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 # renovate: datasource=repology depName=alpine_3_21/ca-certificates versioning=loose
-ENV CA_CERTIFICATES_VERSION="20241010"
+ENV CA_CERTIFICATES_VERSION="20241121-r1"
 
 # Install packages needed to run Atlantis.
 # We place this last as it will bust less docker layer caches when packages update