diff --git a/.tekton/discovery-ui-pull-request.yaml b/.tekton/discovery-ui-pull-request.yaml
index 7edd0eab..a9dd40e4 100644
--- a/.tekton/discovery-ui-pull-request.yaml
+++ b/.tekton/discovery-ui-pull-request.yaml
@@ -30,6 +30,14 @@ spec:
     value: Containerfile
   - name: path-context
     value: .
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "npm", "path": "."}'
+  - name: build-args-file
+    value: ".tekton/downstream-build-arguments.conf"
   pipelineSpec:
     description: |
       This pipeline is ideal for building container images from a Containerfile while reducing network traffic.
diff --git a/.tekton/discovery-ui-push.yaml b/.tekton/discovery-ui-push.yaml
index eb547101..2068ffc9 100644
--- a/.tekton/discovery-ui-push.yaml
+++ b/.tekton/discovery-ui-push.yaml
@@ -27,6 +27,14 @@ spec:
     value: Containerfile
   - name: path-context
     value: .
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "npm", "path": "."}'
+  - name: build-args-file
+    value: ".tekton/downstream-build-arguments.conf"
   pipelineSpec:
     description: |
       This pipeline is ideal for building container images from a Containerfile while reducing network traffic.
diff --git a/.tekton/downstream-build-arguments.conf b/.tekton/downstream-build-arguments.conf
new file mode 100644
index 00000000..798ab9d0
--- /dev/null
+++ b/.tekton/downstream-build-arguments.conf
@@ -0,0 +1,6 @@
+K8S_DESCRIPTION=Discovery UI
+K8S_DISPLAY_NAME=discovery-ui
+K8S_NAME=discovery/discovery-ui-rhel9
+OCP_TAGS=discovery
+QUIPUCORDS_BRANDED=true
+REDHAT_COMPONENT=discovery-ui-container
diff --git a/Containerfile b/Containerfile
index 0bf710a2..588111e1 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,18 +1,46 @@
 FROM registry.access.redhat.com/ubi9/nodejs-18 as npm_builder
+ARG QUIPUCORDS_BRANDED="false"
 # Become root before installing anything
 USER root
-RUN dnf update -y && dnf clean all
-
 # install dependencies in a separate layer to save dev time
 WORKDIR /app
 COPY package.json package-lock.json .
-RUN npm install --omit=dev
+RUN npm ci \
+    --no-audit \
+    --legacy-peer-deps \
+    --omit=dev
 
 COPY . .
-RUN npm run build
+RUN export UI_BRAND=${QUIPUCORDS_BRANDED}; npm run build
 
 FROM registry.access.redhat.com/ubi9/nginx-122
+ARG K8S_DESCRIPTION="Quipucords UI"
+ARG K8S_DISPLAY_NAME="quipucords-ui"
+ARG K8S_NAME="quipucords/quipucords-ui"
+ARG OCP_TAGS="quipucords"
+ARG REDHAT_COMPONENT="quipucords-ui-container"
+
+# original NGINX user; update if the number ever change
+# https://github.com/sclorg/nginx-container/blob/e7d8db9bc5299a4c4e254f8a82e917c7c136468b/1.22/Dockerfile.rhel9#L84
+ENV NGINX_USER=1001
+# temporarily switch to root user
+USER root
+# konflux requires licenses in this folder
+RUN mkdir /licenses
+COPY --from=npm_builder /app/LICENSE /licenses/LICENSE
 COPY --from=npm_builder /app/build /opt/app-root/src
 COPY deploy/nginx.conf /etc/nginx/nginx.conf.template
 COPY deploy/entrypoint.sh /opt/app-root/.
+# set ownership to nginx user and change back to it
+RUN chown ${NGINX_USER} -R /licenses /opt/app-root/
+USER ${NGINX_USER}
+
 CMD ["/bin/bash", "/opt/app-root/entrypoint.sh"]
+
+LABEL com.redhat.component=${REDHAT_COMPONENT} \
+    description=${K8S_DESCRIPTION} \
+    io.k8s.description=${K8S_DESCRIPTION} \
+    io.k8s.display-name=${K8S_DISPLAY_NAME} \
+    io.openshift.tags=${OCP_TAGS} \
+    name=${K8S_NAME} \
+    summary=${K8S_DESCRIPTION}