diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 206925b..56ce360 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -50,7 +50,10 @@ jobs:
         id: scan
         with:
           sbom: sbom.spdx.json
+          severity-cutoff: high
           fail-build: false
+          only-fixed: true
+          by-cve: true
 
       - name: upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@v2
diff --git a/Dockerfile b/Dockerfile
index e072e52..e5e443a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM debian:buster as stage
-ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
+FROM debian:bookworm as stage
+ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
 ARG ARCH=amd64
 ARG VERSION=1.12.2
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
 RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
 
-FROM debian:buster
+FROM debian:bookworm
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .