diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index e9dcd739..55e0c7df 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -272,3 +272,26 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Image**: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Integration Test**: ${{ job.status == 'success' && '✅ Passed' || '❌ Failed' }}" >> $GITHUB_STEP_SUMMARY
+
+  trivy-pr-app-only:
+    name: Trivy (PR) - App-only
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build image locally for PR
+        run: |
+          docker build -t charon:pr-${{ github.sha }} .
+
+      - name: Extract `charon` binary from image
+        run: |
+          CONTAINER=$(docker create charon:pr-${{ github.sha }})
+          docker cp ${CONTAINER}:/app/charon ./charon_binary || true
+          docker rm ${CONTAINER} || true
+
+      - name: Run Trivy filesystem scan on `charon` (fail PR on HIGH/CRITICAL)
+        run: |
+          docker run --rm -v $HOME/.cache/trivy:/root/.cache/trivy -v $PWD:/workdir aquasec/trivy:latest fs --exit-code 1 --severity CRITICAL,HIGH /workdir/charon_binary
+        shell: bash
diff --git a/Dockerfile b/Dockerfile
index 5a0d00e0..03d04a4b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ ARG VCS_REF
 # this ARG to a specific v2.x tag when desired.
 ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
 ## If the requested tag isn't available, fall back to a known-good v2.10.2 build.
-ARG CADDY_VERSION=2.11.1
+ARG CADDY_VERSION=2.10.2
 ## When an official caddy image tag isn't available on the host, use a
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on