diff --git a/.dockerignore b/.dockerignore
deleted file mode 100644
index d4ac3e8bf..000000000
--- a/.dockerignore
+++ /dev/null
@@ -1 +0,0 @@
-*Makefile.swagger
\ No newline at end of file
diff --git a/.tekton/backfill-redis-1-0-gamma-pull-request.yaml b/.tekton/backfill-redis-1-0-gamma-pull-request.yaml
index 6bc42f82d..faf5caea5 100644
--- a/.tekton/backfill-redis-1-0-gamma-pull-request.yaml
+++ b/.tekton/backfill-redis-1-0-gamma-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom
diff --git a/.tekton/backfill-redis-1-0-gamma-push.yaml b/.tekton/backfill-redis-1-0-gamma-push.yaml
index ceeb473d1..5eeb99b41 100644
--- a/.tekton/backfill-redis-1-0-gamma-push.yaml
+++ b/.tekton/backfill-redis-1-0-gamma-push.yaml
@@ -29,6 +29,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom
diff --git a/.tekton/rekor-server-1-0-gamma-pull-request.yaml b/.tekton/rekor-server-1-0-gamma-pull-request.yaml
index 3b1245665..b597590a3 100644
--- a/.tekton/rekor-server-1-0-gamma-pull-request.yaml
+++ b/.tekton/rekor-server-1-0-gamma-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom
diff --git a/.tekton/rekor-server-1-0-gamma-push.yaml b/.tekton/rekor-server-1-0-gamma-push.yaml
index 0698fb821..0a16c9a45 100644
--- a/.tekton/rekor-server-1-0-gamma-push.yaml
+++ b/.tekton/rekor-server-1-0-gamma-push.yaml
@@ -29,6 +29,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom
diff --git a/Dockerfile b/Dockerfile
index 4a27fc0e6..e832afa38 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,17 +14,23 @@
 # limitations under the License.
 
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
+
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && mkdir /opt/app-root/src/cmd && mkdir /opt/app-root/src/pkg && git config --global --add safe.directory /opt/app-root/src
+
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
 WORKDIR $APP_ROOT/src/
 ADD go.mod go.sum $APP_ROOT/src/
+RUN go mod download
 
 # Add source code
 ADD ./cmd/ $APP_ROOT/src/cmd/
 ADD ./pkg/ $APP_ROOT/src/pkg/
 
-RUN go mod tidy && go mod vendor
+# Add source code
+ADD ./cmd/ $APP_ROOT/src/cmd/
+ADD ./pkg/ $APP_ROOT/src/pkg/
 
 ARG SERVER_LDFLAGS
 RUN go build -ldflags "${SERVER_LDFLAGS}" ./cmd/rekor-server
diff --git a/Dockerfile.backfill-redis b/Dockerfile.backfill-redis
index 7a075596c..266cba786 100644
--- a/Dockerfile.backfill-redis
+++ b/Dockerfile.backfill-redis
@@ -1,15 +1,17 @@
-#Build stage
+# Build stage
+
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
 USER root
-ENV APP_ROOT=/opt/app-root
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && mkdir /opt/app-root/src/cmd && mkdir /opt/app-root/src/pkg && git config --global --add safe.directory /opt/app-root/src
+
+WORKDIR /opt/app-root/src/
+
+COPY . .
 
-WORKDIR $APP_ROOT/src/
+run make backfill-redis
 
-RUN git config --global --add safe.directory /opt/app-root/src
-ADD . .
-RUN go mod tidy && go mod vendor && make backfill-redis
 
-#Install stage
+# Install stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:7d1ea7ac0c6f464dac7bae6994f1658172bf6068229f40778a513bc90f47e624
 COPY --from=build-env /opt/app-root/src/backfill-redis /usr/local/bin/backfill-redis
 WORKDIR /opt/app-root/src/home
diff --git a/Dockerfile.cli b/Dockerfile.cli
index 1d1aeffa0..40da5c27b 100644
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -2,11 +2,10 @@
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
 USER root
 
-RUN mkdir /opt/app-root && mkdir /opt/app-root/src
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && git config --global --add safe.directory /opt/app-root/src
 
 WORKDIR /opt/app-root/src
 
-RUN git config --global --add safe.directory /opt/app-root/src
 COPY . .
 
 WORKDIR /opt/app-root/src/hack/tools