diff --git a/dockerfiles/ingress-pipy/Dockerfile b/dockerfiles/ingress-pipy/Dockerfile
index aa932a0..17f0d9f 100644
--- a/dockerfiles/ingress-pipy/Dockerfile
+++ b/dockerfiles/ingress-pipy/Dockerfile
@@ -1,6 +1,7 @@
 # syntax = docker/dockerfile:1.4
 ARG TARGETOS
 ARG TARGETARCH
+ARG DISTROLESS_TAG
 
 # Build the ingress-pipy binary
 FROM --platform=$BUILDPLATFORM golang:1.19-alpine3.15 as builder
@@ -21,8 +22,15 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH make build/ingress-pipy
 
-FROM flomesh/pipy:0.70.0-46
+# Builder image, pipy
+FROM flomesh/pipy:0.70.0-46-nonroot as pipy
+
+# Build the final image
+FROM gcr.io/distroless/base-debian11:$DISTROLESS_TAG
 WORKDIR /
 COPY --from=builder /workspace/bin/ingress-pipy .
+COPY --from=pipy /usr/local/bin/pipy /usr/local/bin/pipy
+
+USER 65532:65532
 
 ENTRYPOINT ["/ingress-pipy"]