diff --git a/.tekton/scanner-v4-build.yaml b/.tekton/scanner-v4-build.yaml
index 5f148d5ac45c7..3b094d7666adf 100644
--- a/.tekton/scanner-v4-build.yaml
+++ b/.tekton/scanner-v4-build.yaml
@@ -50,7 +50,11 @@ spec:
   - name: hermetic
     value: "true"
   - name: prefetch-input
-    value: '{"type": "gomod", "path": "."}'
+    value: |
+      [
+        { "type": "gomod", "path": "." },
+        { "type": "rpm", "path": "." }
+      ]
   - name: build-source-image
     value: 'true'
   - name: clone-depth
diff --git a/.tekton/scanner-v4-pipeline.yaml b/.tekton/scanner-v4-pipeline.yaml
index 51af4a1ee52de..f9d45c5d43b0e 100644
--- a/.tekton/scanner-v4-pipeline.yaml
+++ b/.tekton/scanner-v4-pipeline.yaml
@@ -256,6 +256,8 @@ spec:
       value: $(params.output-image-repo):konflux-$(params.revision).prefetch
     - name: ociArtifactExpiresAfter
       value: $(params.oci-artifact-expires-after)
+    - name: ACTIVATION_KEY
+      value: subscription-manager-activation-key-prod
     taskRef:
       params:
       - name: name
diff --git a/rpms.in.yaml b/rpms.in.yaml
index 0c8c5c040264b..eb25925292844 100644
--- a/rpms.in.yaml
+++ b/rpms.in.yaml
@@ -5,13 +5,12 @@ packages:
 # builder stage in image/rhel/konflux.Dockerfile
 - jq
 # final stage in image/rhel/konflux.Dockerfile
-- findutils
 - postgresql
 # builder stage in operator/konflux.bundle.Dockerfile
 - python3.12-pyyaml
-# package_installer stage in operator/konflux.Dockerfile and image/roxctl/konflux.Dockerfile
+# package_installer stage in: operator/konflux.Dockerfile, image/roxctl/konflux.Dockerfile, scanner/image/scanner/konflux.Dockerfile
 - ca-certificates
-- openssl
+- openssl # required for FIPS support
 moduleEnable:
 # final stage in image/rhel/konflux.Dockerfile
 - postgresql:15
diff --git a/scanner/image/scanner/Dockerfile b/scanner/image/scanner/Dockerfile
index de5af7759692b..a615b5e55bfe0 100644
--- a/scanner/image/scanner/Dockerfile
+++ b/scanner/image/scanner/Dockerfile
@@ -1,16 +1,45 @@
-ARG MAPPINGS_REGISTRY=registry.access.redhat.com
-ARG MAPPINGS_BASE_IMAGE=ubi9
-ARG MAPPINGS_BASE_TAG=latest
-ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi9-minimal
-ARG BASE_TAG=latest
+FROM registry.access.redhat.com/ubi9:latest AS ubi-base
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest AS ubi-micro-base
 
-FROM ${MAPPINGS_REGISTRY}/${MAPPINGS_BASE_IMAGE}:${MAPPINGS_BASE_TAG} AS mappings
+FROM ubi-base AS mappings
 
 COPY download-mappings.sh /download-mappings.sh
 RUN /download-mappings.sh /mappings
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+FROM ubi-base AS package_installer
+
+# Copy ubi-micro base to preserve rpmdb
+COPY --from=ubi-micro-base / /out/
+
+# Install packages directly to /out/ using --installroot
+RUN dnf install \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=False \
+    --nodocs \
+    -y \
+    ca-certificates && \
+    dnf --installroot=/out/ clean all && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+COPY scripts/entrypoint.sh \
+     scripts/import-additional-cas \
+     scripts/restore-all-dir-contents \
+     scripts/save-dir-contents /out/usr/local/bin/
+COPY bin/scanner /out/usr/local/bin/
+COPY THIRD_PARTY_NOTICES/ /out/THIRD_PARTY_NOTICES/
+
+COPY --from=mappings /mappings/repository-to-cpe.json /mappings/container-name-repos-map.json /out/run/mappings/
+
+# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
+# by the script `save-dir-contents` during the image build. The directory
+# contents are then restored by the script `restore-all-dir-contents`
+# during the container start.
+# Setup CA trust directories with proper permissions in /out/
+RUN chown -R 65534:65534 /out/etc/pki/ca-trust /out/etc/ssl /out/tmp && \
+    chroot /out /usr/local/bin/save-dir-contents /etc/pki/ca-trust/source
+
+FROM ubi-micro-base
 
 ARG LABEL_VERSION
 ARG LABEL_RELEASE
@@ -25,27 +54,9 @@ LABEL name="scanner-v4" \
       release="${LABEL_RELEASE}" \
       quay.expires-after="${QUAY_TAG_EXPIRATION}"
 
-SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+COPY --from=package_installer /out/ /
 
-COPY scripts/entrypoint.sh \
-     scripts/import-additional-cas \
-     scripts/restore-all-dir-contents \
-     scripts/save-dir-contents /usr/local/bin/
-COPY bin/scanner /usr/local/bin/
-COPY THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
-COPY --from=mappings /mappings/repository-to-cpe.json /mappings/container-name-repos-map.json /run/mappings/
-
-RUN microdnf upgrade -y --nobest && \
-    microdnf clean all && \
-    # (Optional) Remove line below to keep package management utilities
-    rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
-    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
-    # by the script `save-dir-contents` during the image build. The directory
-    # contents are then restored by the script `restore-all-dir-contents`
-    # during the container start.
-    chown -R 65534:65534 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 # This is equivalent to nobody:nobody.
 USER 65534:65534
diff --git a/scanner/image/scanner/konflux.Dockerfile b/scanner/image/scanner/konflux.Dockerfile
index 391db9e4aa8c5..18df02cd594c7 100644
--- a/scanner/image/scanner/konflux.Dockerfile
+++ b/scanner/image/scanner/konflux.Dockerfile
@@ -17,7 +17,55 @@ WORKDIR /src
 RUN make -C scanner NODEPS=1 CGO_ENABLED=1 image/scanner/bin/scanner copy-scripts
 
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base
+
+FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer
+
+# Copy ubi-micro base to preserve rpmdb
+COPY --from=ubi-micro-base / /out/
+
+# Install packages directly to /out/ using --installroot
+# Note: --setopt=reposdir=/etc/yum.repos.d instructs dnf to use repo configurations pointing to RPMs
+# prefetched by Hermeto/Cachi2, instead of installroot's default UBI repos.
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=False \
+    --setopt=reposdir=/etc/yum.repos.d \
+    --nodocs \
+    ca-certificates \
+    openssl && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+COPY --from=builder \
+    /src/scanner/image/scanner/scripts/entrypoint.sh \
+    /src/scanner/image/scanner/scripts/import-additional-cas \
+    /src/scanner/image/scanner/scripts/restore-all-dir-contents \
+    /src/scanner/image/scanner/scripts/save-dir-contents \
+    /src/scanner/image/scanner/bin/scanner \
+    /out/usr/local/bin/
+
+# The mapping files are not optional.
+# The helm chart hard codes in the indexer config the path to the mapping
+# files.  If the file does not exist, the indexer raises an error during bootstrap.
+# (Note that the file is downloaded from Central after initial seeding.)
+# Mapping files required by indexer config
+COPY .konflux/scanner-data/repository-to-cpe.json .konflux/scanner-data/container-name-repos-map.json /out/run/mappings/
+
+COPY LICENSE /out/licenses/LICENSE
+
+# The contents of paths mounted as emptyDir volumes in Kubernetes are saved
+# by the script `save-dir-contents` during the image build. The directory
+# contents are then restored by the script `restore-all-dir-contents`
+# during the container start.
+RUN chown -R 65534:65534 /out/tmp /out/etc/pki/ca-trust /out/etc/ssl && \
+    chroot /out /usr/local/bin/save-dir-contents /etc/pki/ca-trust/source
+
+
+FROM ubi-micro-base
+
+COPY --from=package_installer /out/ /
 
 ARG BUILD_TAG
 
@@ -40,34 +88,6 @@ LABEL \
     # We also set it to not inherit one from a base stage in case it's RHEL or UBI.
     release="1"
 
-COPY --from=builder \
-    /src/scanner/image/scanner/scripts/entrypoint.sh \
-    /src/scanner/image/scanner/scripts/import-additional-cas \
-    /src/scanner/image/scanner/scripts/restore-all-dir-contents \
-    /src/scanner/image/scanner/scripts/save-dir-contents \
-    /src/scanner/image/scanner/bin/scanner \
-    /usr/local/bin/
-
-# The mapping files are not optional.
-# The helm chart hard codes in the indexer config the path to the mapping
-# files.  If the file does not exist, the indexer raises an error during bootstrap.
-# (Note that the file is downloaded from Central after initial seeding.)
-
-COPY .konflux/scanner-data/repository-to-cpe.json .konflux/scanner-data/container-name-repos-map.json /run/mappings/
-
-RUN microdnf clean all && \
-    # (Optional) Remove line below to keep package management utilities
-    rpm -e --nodeps $(rpm -qa curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
-    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
-    # by the script `save-dir-contents` during the image build. The directory
-    # contents are then restored by the script `restore-all-dir-contents`
-    # during the container start.
-    chown -R 65534:65534 /etc/pki/ca-trust && save-dir-contents /etc/pki/ca-trust/source
-
-COPY LICENSE /licenses/LICENSE
-
 # This is equivalent to nobody:nobody.
 USER 65534:65534