diff --git a/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml b/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml
index 8e4623ddc..121ffe580 100644
--- a/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml
+++ b/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml
@@ -4,6 +4,7 @@ metadata:
   name: function-download-sample-generic-auth
   namespace: default
 spec:
+  image: streamnative/pulsar-functions-pulsarctl-java-runner:3.2.2.1
   className: org.apache.pulsar.functions.api.examples.ExclamationFunction
   forwardSourceMessageProperty: true
   maxPendingAsyncRequests: 1000
diff --git a/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml
index b6947c1fa..0dbe98663 100644
--- a/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml
+++ b/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml
@@ -4,6 +4,7 @@ metadata:
   name: py-function-download-from-http-sample
   namespace: default
 spec:
+  image: streamnative/pulsar-functions-pulsarctl-python-runner:3.2.2.1
   className: exclamation
   forwardSourceMessageProperty: true
   maxPendingAsyncRequests: 1000
diff --git a/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml
index e0460e6f5..e82384550 100644
--- a/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml
+++ b/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml
@@ -4,6 +4,7 @@ metadata:
   name: py-function-download-legacy-sample
   namespace: default
 spec:
+  image: streamnative/pulsar-functions-pulsarctl-python-runner:3.2.2.1
   className: exclamation_function.ExclamationFunction
   forwardSourceMessageProperty: true
   maxPendingAsyncRequests: 1000
diff --git a/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml
index 98dd8fe74..9d0d88351 100644
--- a/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml
+++ b/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml
@@ -4,6 +4,7 @@ metadata:
   name: py-function-download-sample
   namespace: default
 spec:
+  image: streamnative/pulsar-functions-pulsarctl-python-runner:3.2.2.1
   className: exclamation_function.ExclamationFunction
   forwardSourceMessageProperty: true
   maxPendingAsyncRequests: 1000
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 7b5f6f902..3bcf97718 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -21,6 +21,7 @@ jobs:
     name: Scan
     permissions:
       pull-requests: write
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -119,3 +120,59 @@ jobs:
           image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
           format: 'table'
           exit-code: '0'
+
+      # Comment on PR with the scan output since the action won't fail with CVEs
+      - name: Comment on PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const uniqueIdentifier = '#Runner Images Scan Result:';
+            
+            // Function to get output from a file
+            function getOutput(stepId) {
+              const outputFile = path.join(process.env.GITHUB_WORKSPACE, `${stepId}_output.txt`);
+              if (fs.existsSync(outputFile)) {
+                return fs.readFileSync(outputFile, 'utf8');
+              }
+              return ''; // Return empty string if file does not exist
+            }
+            
+            // Combine outputs from different steps
+            const outputs = [
+              { label: 'Java Runner', output: '${{ steps.scan-java-runner.outputs.result }}' },
+              { label: 'Python Runner', output: '${{ steps.scan-python-runner.outputs.result }}' },
+              { label: 'Go Runner', output: '${{ steps.scan-go-runner.outputs.result }}' },
+              { label: 'Java Runner with Pulsarctl', output: '${{ steps.scan-java-pulsarctl-runner.outputs.result }}' },
+              { label: 'Python Runner with Pulsarctl', output: '${{ steps.scan-python-pulsarctl-runner.outputs.result }}' },
+              { label: 'Go Runner with Pulsarctl', output: '${{ steps.scan-go-pulsarctl-runner.outputs.result }}' },
+            ].filter(item => item.output !== '');
+            
+            // Format the combined message
+            let combinedMessage = outputs.map(item => `**${item.label} Vulnerabilities:**\n\`\`\`\n${item.output}\n\`\`\``).join('\n\n');
+            combinedMessage = `${uniqueIdentifier}\n\n` + combinedMessage; // Add unique identifier to the message
+
+            const issue_number = context.issue.number;
+            const { data: comments } = await github.rest.issues.listComments({
+              ...context.repo,
+              issue_number: issue_number,
+            });
+            
+            // Find existing comment
+            const existingComment = comments.find(comment => comment.body.includes(uniqueIdentifier));
+
+            // Update or create comment
+            if (existingComment) {
+              await github.rest.issues.updateComment({
+                ...context.repo,
+                comment_id: existingComment.id,
+                body: combinedMessage
+              });
+            } else {
+              await github.rest.issues.createComment({
+                ...context.repo,
+                issue_number: issue_number,
+                body: combinedMessage
+              });
+            }
diff --git a/images/pulsar-functions-base-runner/pulsarctl.Dockerfile b/images/pulsar-functions-base-runner/pulsarctl.Dockerfile
index 063e373a9..123cba403 100644
--- a/images/pulsar-functions-base-runner/pulsarctl.Dockerfile
+++ b/images/pulsar-functions-base-runner/pulsarctl.Dockerfile
@@ -20,7 +20,7 @@ RUN mkdir -p /pulsar/bin/ \
     && chown -R $UID:$GID /pulsar \
     && chmod -R g=u /pulsar \
     && apk update && apk add --no-cache wget bash \
-         && wget https://github.com/streamnative/pulsarctl/releases/download/v3.2.2.6/pulsarctl-amd64-linux.tar.gz -P /pulsar/bin/ \
+         && wget https://github.com/streamnative/pulsarctl/releases/latest/download/pulsarctl-amd64-linux.tar.gz -P /pulsar/bin/ \
          && tar -xzf /pulsar/bin/pulsarctl-amd64-linux.tar.gz -C /pulsar/bin/ \
          && rm -rf /pulsar/bin/pulsarctl-amd64-linux.tar.gz \
          && chmod +x /pulsar/bin/pulsarctl-amd64-linux/pulsarctl \
diff --git a/images/pulsar-functions-python-runner/Dockerfile b/images/pulsar-functions-python-runner/Dockerfile
index d25f665e7..13cb1e10a 100644
--- a/images/pulsar-functions-python-runner/Dockerfile
+++ b/images/pulsar-functions-python-runner/Dockerfile
@@ -11,6 +11,8 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/deps /pulsar/instances/de
 # Below is a hacky way to copy /pulsar/pulsar-client if exist in pulsar image
 COPY --from=pulsar --chown=$UID:$GID /pulsar/README /pulsar/pulsar-clien* /pulsar/pulsar-client/
 
+ENV PULSAR_CLIENT_PYTHON_VERSION=3.5.0
+
 # Pulsar 2.8.0 removes /pulsar/cpp-client from docker image
 # But it required with Pulsar 2.7.X and below
 # to make this Dockerfile compalicate with different Pulsar versions
@@ -31,7 +33,7 @@ RUN python3 get-pip.py
 WORKDIR /pulsar
 
 RUN if [ -f "/pulsar/bin/install-pulsar-client-37.sh" ]; then /pulsar/bin/install-pulsar-client-37.sh || true ; fi
-RUN if [ -f "/pulsar/bin/install-pulsar-client.sh" ]; then /pulsar/bin/install-pulsar-client.sh || pip3 install 'pulsar-client[all]==3.1.0' ; fi
+RUN if [ -f "/pulsar/bin/install-pulsar-client.sh" ]; then /pulsar/bin/install-pulsar-client.sh || pip3 install 'pulsar-client[all]==3.5.0' ; fi
 
 # this dir is duplicate with the installed pulsar-client pip package, and maybe not compatible with the `_pulsar`(the .so library package)
 RUN rm -rf /pulsar/instances/python-instance/pulsar/ \
diff --git a/images/pulsar-functions-python-runner/pulsarctl.Dockerfile b/images/pulsar-functions-python-runner/pulsarctl.Dockerfile
index cf48a3077..649541264 100644
--- a/images/pulsar-functions-python-runner/pulsarctl.Dockerfile
+++ b/images/pulsar-functions-python-runner/pulsarctl.Dockerfile
@@ -11,6 +11,8 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/python-instance /pulsar/i
 # Below is a hacky way to copy /pulsar/pulsar-client if exist in pulsar image
 COPY --from=pulsar --chown=$UID:$GID /pulsar/README /pulsar/pulsar-clien* /pulsar/pulsar-client/
 
+ENV PULSAR_CLIENT_PYTHON_VERSION=3.5.0
+
 # Pulsar 2.8.0 removes /pulsar/cpp-client from docker image
 # But it required with Pulsar 2.7.X and below
 # to make this Dockerfile compalicate with different Pulsar versions
@@ -24,8 +26,8 @@ RUN apk update \
      && mv /usr/lib/python3.11/EXTERNALLY-MANAGED  /usr/lib/python3.11/EXTERNALLY-MANAGED.old \
      && python3 get-pip.py && pip3 install --upgrade pip
 
-RUN if [ -f "/pulsar/bin/install-pulsar-client-37.sh" ]; then /pulsar/bin/install-pulsar-client-37.sh || pip3 install 'pulsar-client[all]==3.1.0' ; fi
-RUN if [ -f "/pulsar/bin/install-pulsar-client.sh" ]; then /pulsar/bin/install-pulsar-client.sh || pip3 install 'pulsar-client[all]==3.1.0' ; fi
+RUN if [ -f "/pulsar/bin/install-pulsar-client-37.sh" ]; then /pulsar/bin/install-pulsar-client-37.sh || pip3 install 'pulsar-client[all]==3.5.0' ; fi
+RUN if [ -f "/pulsar/bin/install-pulsar-client.sh" ]; then /pulsar/bin/install-pulsar-client.sh || pip3 install 'pulsar-client[all]==3.5.0' ; fi
 
 # this dir is duplicate with the installed pulsar-client pip package, and maybe not compatible with the `_pulsar`(the .so library package)
 RUN rm -rf /pulsar/instances/python-instance/pulsar/ \