diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 070dec2e781..9ae9ca191be 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -74,3 +74,10 @@ updates:
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+- package-ecosystem: docker
+  directory: "/attestor"
+  schedule:
+    interval: weekly
+  rebase-strategy: disabled
+  commit-message:
+      prefix: ":seedling:"
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 9ae8533b3f7..4b447142c5d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -259,3 +259,31 @@ jobs:
          cache: true
      - name: docker build
        run: make cron-github-server-docker
+  attestor:
+    name: attestor-docker
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    needs:
+      - docs_only_check
+    if: (needs.docs_only_check.outputs.docs_only != 'true')
+    steps:
+     - name: Harden Runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+     - name: Install Protoc
+       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
+       with:
+        version: ${{ env.PROTOC_VERSION }}
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+     - name: Clone the code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+     - name: Setup Go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version-file: ${{ env.GO_VERSION_FILE }}
+         check-latest: true
+         cache: true
+     - name: docker build
+       run: make build-attestor-docker
diff --git a/attestor/Dockerfile b/attestor/Dockerfile
index ec4d6949b04..915ec7ce8a0 100644
--- a/attestor/Dockerfile
+++ b/attestor/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang@sha256:ea3d912d500b1ae0a691b2e53eb8a6345b579d42d7e6a64acca83d274b949740 AS base
+FROM golang:1.19@sha256:6b3fa4b908676231b50acbbc00e84d8cee9c6ce072b1175c0ff352c57d8a612f AS base
 WORKDIR /src/scorecard
 COPY . ./