diff --git a/devops/gc/deploy/templates/unit-deploy.yml b/devops/gc/deploy/templates/unit-deploy.yml
index bc3e012c88986064fcc709daa3d36ae5526f72c5..afcd904ff586a3d5c8c3a896c133e6029ebdf0db 100644
--- a/devops/gc/deploy/templates/unit-deploy.yml
+++ b/devops/gc/deploy/templates/unit-deploy.yml
@@ -30,7 +30,7 @@ spec:
             name: {{ .Values.conf.configmap | quote }}
         securityContext:
           allowPrivilegeEscalation: false
-          runAsUser: 0
+          runAsNonRoot: true
         ports:
         - containerPort: 8080
         resources:
diff --git a/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild b/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild
index 034cb69a695defe3adf1d0d3dda033a17dc729a8..1ad57a5d09bd6c7ca0da5474d5ec63074873241a 100644
--- a/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild
@@ -5,5 +5,12 @@ ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/unit-gc/unit-gke/target/unit-gke-*.jar unit.jar
 COPY data/unit_catalog_v2.json /mnt/unit_catalogs/unit_catalog_v2.json
+
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
+
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/unit.jar