diff --git a/Dockerfile.scanner b/Dockerfile.scanner
index 00c116b..519e0b4 100644
--- a/Dockerfile.scanner
+++ b/Dockerfile.scanner
@@ -53,7 +53,7 @@ ENV SCANNER_MODE=true \
     SCANNER_INTERVAL=300
 
 # Run the scanner in background mode
-# Note: You may need to add a scanner-specific command to your CLI
-# For now, this assumes the serve command can run in scanner mode
+# The scanner runs the same serve command but uses SCANNER_MODE env var
+# and configuration to determine its role
 ENTRYPOINT ["/usr/local/bin/gohoarder"]
-CMD ["serve", "--scanner-only"]
+CMD ["serve"]
diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml
index 6edb27f..a68e379 100644
--- a/helm/gohoarder/templates/deployment-scanner.yaml
+++ b/helm/gohoarder/templates/deployment-scanner.yaml
@@ -37,10 +37,8 @@ spec:
           mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
           {{- if .Values.security.scanners.trivy.enabled }}
           mkdir -p {{ .Values.security.scanners.trivy.cacheDb }}
-          chown -R 1000:1000 {{ .Values.security.scanners.trivy.cacheDb }}
           {{- end }}
-          chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder
+          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
         volumeMounts:
         - name: storage
           mountPath: /var/cache/gohoarder
@@ -53,7 +51,11 @@ spec:
         - name: tmp
           mountPath: /tmp/gohoarder
         securityContext:
-          runAsUser: 0
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       containers:
       - name: scanner
         securityContext:
diff --git a/helm/gohoarder/templates/deployment-server.yaml b/helm/gohoarder/templates/deployment-server.yaml
index 7b027dc..915f69b 100644
--- a/helm/gohoarder/templates/deployment-server.yaml
+++ b/helm/gohoarder/templates/deployment-server.yaml
@@ -36,8 +36,7 @@ spec:
         args:
         - |
           mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
-          chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder
+          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
         volumeMounts:
         - name: storage
           mountPath: /var/cache/gohoarder
@@ -46,7 +45,11 @@ spec:
         - name: tmp
           mountPath: /tmp/gohoarder
         securityContext:
-          runAsUser: 0
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       containers:
       - name: server
         securityContext: