diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml
index 596eff5..130977e 100644
--- a/.github/workflows/test-and-build.yml
+++ b/.github/workflows/test-and-build.yml
@@ -40,6 +40,7 @@ jobs:
             nodejs-lts-hydrogen \
             npm \
             tar \
+            trivy \
             unzip \
             which \
             zip
@@ -53,6 +54,9 @@ jobs:
         run: |
           go test -v ./...
 
+      - name: Execute Trivy scan
+        run: make trivy
+
       - name: Build release
         run: make publish
         env:
diff --git a/Dockerfile b/Dockerfile
index fda31d6..27a9c83 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,6 +34,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
 
 EXPOSE 3000
 
+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]
 
diff --git a/Dockerfile.minimal b/Dockerfile.minimal
index 14b2d42..301f0b9 100644
--- a/Dockerfile.minimal
+++ b/Dockerfile.minimal
@@ -30,6 +30,8 @@ COPY --from=builder /go/bin/ots /usr/local/bin/ots
 
 EXPOSE 3000
 
+USER 1000:1000
+
 ENTRYPOINT ["/usr/local/bin/ots"]
 CMD ["--"]
 
diff --git a/Makefile b/Makefile
index aca2244..144d18c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-VER_FONTAWESOME=6.4.0
+VER_FONTAWESOME:=6.4.0
 
 
 default: generate download_libs
@@ -33,3 +33,16 @@ download_libs: fontawesome
 fontawesome:
 	curl -sSfL https://github.com/FortAwesome/Font-Awesome/archive/$(VER_FONTAWESOME).tar.gz | \
 		tar -vC frontend -xz --strip-components=1 --wildcards --exclude='*/js-packages' '*/css' '*/webfonts'
+
+# -- Vulnerability scanning --
+
+trivy:
+	trivy fs . \
+		--dependency-tree \
+		--exit-code 1 \
+		--format table \
+		--ignore-unfixed \
+		--quiet \
+		--scanners config,license,secret,vuln \
+		--severity HIGH,CRITICAL \
+		--skip-dirs docs