diff --git a/.github/workflows/security-weekly-rebuild.yml b/.github/workflows/security-weekly-rebuild.yml
index 44ca3b2e..7dbbcabb 100644
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -48,11 +48,12 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Resolve Debian base image digest
-        id: caddy
+        id: base-image
         run: |
-          docker pull debian:bookworm-slim
-          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' debian:bookworm-slim)
-          echo "image=$DIGEST" >> $GITHUB_OUTPUT
+          docker pull debian:trixie-slim
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' debian:trixie-slim)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+          echo "Base image digest: $DIGEST"
 
       - name: Log in to Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -84,7 +85,7 @@ jobs:
             VERSION=security-scan
             BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
             VCS_REF=${{ github.sha }}
-            CADDY_IMAGE=${{ steps.caddy.outputs.image }}
+            BASE_IMAGE=${{ steps.base-image.outputs.digest }}
 
       - name: Run Trivy vulnerability scanner (CRITICAL+HIGH)
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1