diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml.disabled
similarity index 100%
rename from .github/workflows/ci.yml
rename to .github/workflows/ci.yml.disabled
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 0000000000..1a6ed73615
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,40 @@
+name: SBOM & Vulnerability Scan
+
+on:
+  push:
+    branches: ["release/*"]
+  pull_request:
+    branches: ["release/*"]
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    name: Generate SBOM and scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker build -t postgres:local -f 18/alpine3.23/Dockerfile 18/alpine3.23/
+
+      - name: Generate SBOM (Syft)
+        uses: anchore/sbom-action@v0
+        with:
+          image: postgres:local
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+
+      - name: Scan vulnerabilities (Grype)
+        uses: anchore/scan-action@v6
+        with:
+          image: postgres:local
+          fail-build: false
+          output-format: table
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-postgres
+          path: sbom.cdx.json
+          retention-days: 90
diff --git a/.github/workflows/verify-templating.yml b/.github/workflows/verify-templating.yml.disabled
similarity index 100%
rename from .github/workflows/verify-templating.yml
rename to .github/workflows/verify-templating.yml.disabled
diff --git a/18/alpine3.23/Dockerfile b/18/alpine3.23/Dockerfile
index 7aebb1e412..a44eacca02 100644
--- a/18/alpine3.23/Dockerfile
+++ b/18/alpine3.23/Dockerfile
@@ -15,35 +15,11 @@ RUN set -eux; \
 # see https://github.com/docker-library/postgres/issues/274
 	install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
 
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.19
+# Use su-exec instead of gosu to avoid Go stdlib CVEs in gosu binary.
+# su-exec is a minimal C alternative available in Alpine packages.
 RUN set -eux; \
-	\
-	apk add --no-cache --virtual .gosu-deps \
-		ca-certificates \
-		dpkg \
-		gnupg \
-	; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	\
-# verify the signature
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	\
-# clean up fetch dependencies
-	apk del --no-network .gosu-deps; \
-	\
-	chmod +x /usr/local/bin/gosu; \
-# verify that the binary works
-	gosu --version; \
-	gosu nobody true
+	apk add --no-cache su-exec; \
+	ln -s /sbin/su-exec /usr/local/bin/gosu
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation