diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index a4af190a..3964e0c4 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -37,6 +37,8 @@ jobs:
           tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }}
           file: Dockerfile
           push: true
+          provenance: mode=max
+          sbom: true
           build-args: |
             VERSION=${{ steps.set-properties.outputs.VERSION }}
       - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
diff --git a/Dockerfile b/Dockerfile
index 691a323a..05da379f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 FROM node:22-alpine
 ARG VERSION=latest
+RUN addgroup -S mcp && adduser -S mcp -G mcp
 RUN npm install -g mongodb-mcp-server@${VERSION}
+USER mcp
+WORKDIR /home/mcp
 ENTRYPOINT ["mongodb-mcp-server"]
 LABEL maintainer="MongoDB Inc <info@mongodb.com>"
 LABEL description="MongoDB MCP Server"
diff --git a/src/index.ts b/src/index.ts
index ee332072..8f5738cf 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -31,6 +31,22 @@ try {
 
     const transport = createEJsonTransport();
 
+    process.on("SIGINT", () => {
+        logger.info(LogId.serverCloseRequested, "server", `Server close requested`);
+
+        server
+            .close()
+            .then(() => {
+                logger.info(LogId.serverClosed, "server", `Server closed successfully`);
+                process.exit(0);
+            })
+            .catch((err: unknown) => {
+                const error = err instanceof Error ? err : new Error(String(err));
+                logger.error(LogId.serverCloseFailure, "server", `Error closing server: ${error.message}`);
+                process.exit(1);
+            });
+    });
+
     await server.connect(transport);
 } catch (error: unknown) {
     logger.emergency(LogId.serverStartFailure, "server", `Fatal error running server: ${error as string}`);
diff --git a/src/logger.ts b/src/logger.ts
index 1fa694bd..73cf0103 100644
--- a/src/logger.ts
+++ b/src/logger.ts
@@ -9,6 +9,9 @@ export type LogLevel = LoggingMessageNotification["params"]["level"];
 export const LogId = {
     serverStartFailure: mongoLogId(1_000_001),
     serverInitialized: mongoLogId(1_000_002),
+    serverCloseRequested: mongoLogId(1_000_003),
+    serverClosed: mongoLogId(1_000_004),
+    serverCloseFailure: mongoLogId(1_000_005),
 
     atlasCheckCredentials: mongoLogId(1_001_001),
     atlasDeleteDatabaseUserFailure: mongoLogId(1_001_002),