diff --git a/.hadolint.yaml b/.hadolint.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cece24b6b6720823a0a4f0f20bd64008ec9ae224
--- /dev/null
+++ b/.hadolint.yaml
@@ -0,0 +1,2 @@
+ignored:
+  - DL3007
diff --git a/Dockerfile b/Dockerfile
index 21830a0a1de53dc3b773352faa6fb87827fb92b8..a3d444d5c456a1f402fb6bc66f1bb7902cd8ea3f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,21 +1,28 @@
-FROM registry.cyberbrain.pw/docker/grype:latest AS base
+FROM registry.cyberbrain.pw/tools/docker/grype:latest AS base
 
-FROM registry.cyberbrain.pw/docker/alpine:latest AS common
+FROM registry.cyberbrain.pw/tools/docker/alpine:latest AS common
 
 FROM common AS executor
-COPY --from=base /grype /grype
-RUN chmod +x /grype; /grype db update -v
+ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \
+    GRYPE_DB_CACHE_DIR="/tmp/db" \
+    GRYPE_DB_AUTO_UPDATE="false"
+COPY --from=base /grype /bin/grype
+RUN set -ex && \
+    chmod a+x /bin/grype && \
+    mkdir -p ${GRYPE_DB_CACHE_DIR} && \
+    chmod -R 0777 ${GRYPE_DB_CACHE_DIR} && \
+    /bin/grype db update -v
 
 FROM common AS runtime
 ENV GRYPE_CHECK_FOR_APP_UPDATE="false" \
     GRYPE_DB_CACHE_DIR="/srv/grype/db" \
     GRYPE_DB_AUTO_UPDATE="false"
-COPY --from=executor /grype /bin/
+COPY --from=base /grype /bin/
 RUN set -ex && \
     chmod a+x /bin/grype && \
     mkdir -p ${GRYPE_DB_CACHE_DIR} && \
     chmod -R 0777 ${GRYPE_DB_CACHE_DIR}
-COPY --from=executor /root/.cache/grype/db ${GRYPE_DB_CACHE_DIR}
+COPY --from=executor /tmp/db ${GRYPE_DB_CACHE_DIR}
 RUN set -ex && \
     chmod -R 0555 ${GRYPE_DB_CACHE_DIR}
 LABEL org.label-schema.description="A vulnerability scanner for container images and filesystems (standalone)"