diff --git a/apps/base/renovate/release.yaml b/apps/base/renovate/release.yaml
index c750b2195eb7d94a73b0fa0425ffd4e7c75920ef..6473410cc37a6e1c15e3548a67a9f52091a21f44 100644
--- a/apps/base/renovate/release.yaml
+++ b/apps/base/renovate/release.yaml
@@ -41,6 +41,12 @@ metadata:
   namespace: renovate
 data:
   values.yaml: |
+    renovate:
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
     serviceAccount:
       create: true
     extraVolumes:
@@ -51,7 +57,12 @@ data:
       - name: cache
         mountPath: /cache
     securityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+      fsGroupChangePolicy: Always
       fsGroup: 1000
+      seccompProfile:
+        type: RuntimeDefault
     resources:
       requests:
         cpu: 100m