diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
index 6aa713c..0e22b62 100644
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -21,6 +21,7 @@ on:
 permissions:
   contents: read
   actions: read
+  security-events: write
 
 jobs:
   scan:
@@ -47,11 +48,29 @@ jobs:
           no-cache: true
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: gitea-mirror:scan
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy vulnerability scanner (table output)
+        uses: aquasecurity/trivy-action@0.28.0
+        if: failure()
         with:
           image-ref: gitea-mirror:scan
           format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          exit-code: '0'
+          ignore-unfixed: false
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
index bc62327..a58fc43 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.4
 
-FROM oven/bun:1.2.14-alpine AS base
+FROM oven/bun:1.2.18-alpine AS base
 WORKDIR /app
 RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite openssl