diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 500f2f028c95145b13781248c78abadebb1947fa..d3a77dd424a8ca274a3cf9536759c832e009ab45 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0
         with:
           scan-type: 'fs'
           format: 'sarif'
diff --git a/Dockerfile b/Dockerfile
index c26bc11b3194e055495363715b3834799fb4ffed..6d7c1f83709802ed3c2d03e6399eb843399b7ca7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,7 +40,7 @@ ARG LZ4_VERSION="1.10.0-r0"
 # renovate: datasource=repology depName=alpine_3_21/linux-headers versioning=loose
 ARG LINUX_HEADERS_VERSION="6.6-r1"
 
-FROM python:3.13.3-alpine3.21@sha256:452682e4648deafe431ad2f2391d726d7c52f0ff291be8bd4074b10379bb89ff AS base
+FROM python:3.13.4-alpine3.22@sha256:b4d299311845147e7e47c970566906caf8378a1f04e5d3de65b5f2e834f8e3bf AS base
 
 ################################################################################
 #                    BUILD BORGBACKUP FROM SOURCE USING PIP                    #