diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 0ca1f6d7..802f451b 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -287,6 +287,7 @@ jobs:
             traefik/whoami
 
       - name: Run Charon Container
+        timeout-minutes: 3
         run: |
           docker run -d \
             --name test-container \
@@ -294,6 +295,15 @@ jobs:
             -p 8080:8080 \
             -p 80:80 \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
+
+          # Wait for container to be healthy (max 2 minutes)
+          echo "Waiting for container to start..."
+          timeout 120s bash -c 'until docker exec test-container wget -q -O- http://localhost:8080/api/v1/health 2>/dev/null | grep -q "status"; do echo "Waiting..."; sleep 2; done' || {
+            echo "❌ Container failed to become healthy"
+            docker logs test-container
+            exit 1
+          }
+          echo "✅ Container is healthy"
       - name: Run Integration Test
         timeout-minutes: 5
         run: ./scripts/integration-test.sh
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index c62e9a3c..880bb7b8 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -91,7 +91,7 @@ ACQUIS_EOF
     # Update hub index to ensure CrowdSec can start
     if [ ! -f "/etc/crowdsec/hub/.index.json" ]; then
         echo "Updating CrowdSec hub index..."
-        cscli hub update 2>/dev/null || echo "Warning: Failed to update hub index (network issue?)"
+        timeout 60s cscli hub update 2>/dev/null || echo "⚠️ Hub update timed out or failed, continuing..."
     fi
 
     # Ensure local machine is registered (auto-heal for volume/config mismatch)