diff --git a/Dockerfile b/Dockerfile
index 6cc13cc..d9a2f6a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,15 @@
-FROM registry.cloudogu.com/official/java:17.0.12-1 as base
+FROM registry.cloudogu.com/official/java:17.0.9-1 as base
 
 ENV SONARQUBE_HOME=/opt/sonar \
     # mark as webapp for nginx
     SERVICE_TAGS=webapp \
-    SONAR_VERSION=9.9.5.90363 \
+    SONAR_VERSION=10.6.0.92116 \
     CAS_PLUGIN_VERSION=5.0.2 \
     STARTUP_DIR="/"
 
 FROM base as builder
 
-ENV SONARQUBE_ZIP_SHA256=17b6cfab23fcd2e74b9c44aae6455a24eff3ba990a35a14ca186ded1411eefd3 \
+ENV SONARQUBE_ZIP_SHA256=73c541a77f79cbaec49022f5eba60388b3f91f41deb1fbf0abf9bbedcb6dbbc2 \
     CAS_PLUGIN_JAR_SHA256=82f9fd7f65c9ce255f4f1dd6649a65a1f7eaf2acbc6a54f2c8103cbc2a42010f \
     BUILDER_HOME="/builder/sonar"
 
@@ -27,7 +27,7 @@ RUN echo "${CAS_PLUGIN_JAR_SHA256} *${BUILDER_HOME}/sonar-cas-plugin-${CAS_PLUGI
 FROM base
 
 LABEL NAME="official/sonar" \
-    VERSION="9.9.5-3" \
+    VERSION="9.9.4-1" \
     maintainer="hello@cloudogu.com"
 
 RUN set -eux \
diff --git a/Makefile b/Makefile
index cfb9b90..64b5e87 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-MAKEFILES_VERSION=9.1.0
+MAKEFILES_VERSION=9.2.0
 .DEFAULT_GOAL:=dogu-release
 
 WORKSPACE=/workspace
diff --git a/build/make/bats.mk b/build/make/bats.mk
index ce1319c..7e73553 100644
--- a/build/make/bats.mk
+++ b/build/make/bats.mk
@@ -9,7 +9,7 @@ BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
 BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
 BATS_BASE_IMAGE?=bats/bats
 BATS_CUSTOM_IMAGE?=cloudogu/bats
-BATS_TAG?=1.2.1
+BATS_TAG?=1.11.0
 BATS_DIR=build/make/bats
 BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
 
diff --git a/build/make/bats/Dockerfile b/build/make/bats/Dockerfile
index 428ee05..7167a94 100644
--- a/build/make/bats/Dockerfile
+++ b/build/make/bats/Dockerfile
@@ -1,7 +1,9 @@
 ARG BATS_BASE_IMAGE
 ARG BATS_TAG
 
-FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
+FROM ${BATS_BASE_IMAGE:-bats/bats}:${BATS_TAG:-1.11.0}
 
 # Make bash more findable by scripts and tests
 RUN apk add make git bash
+# suppress git "detected dubious ownership" error/warning for repos which are checked out later
+RUN git config --global --add safe.directory /workspace
\ No newline at end of file
diff --git a/build/make/vulnerability-scan.mk b/build/make/vulnerability-scan.mk
new file mode 100644
index 0000000..5698206
--- /dev/null
+++ b/build/make/vulnerability-scan.mk
@@ -0,0 +1,13 @@
+##@ Vulnerability scan
+
+GOVULNCHECK_BIN=${UTILITY_BIN_PATH}/govulncheck
+GOVULNCHECK_VERSION?=latest
+
+${GOVULNCHECK_BIN}: ${UTILITY_BIN_PATH}
+	$(call go-get-tool,$(GOVULNCHECK_BIN),golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION))
+
+.PHONY: govulncheck
+govulncheck: ${GOVULNCHECK_BIN} ## This target is used to scan the go repository against known vulnerabilities
+	@echo "Start vulnerability against repository"
+	${GOVULNCHECK_BIN} -show verbose ./...
+	@echo "Finished scan"
\ No newline at end of file