diff --git a/Dockerfile.astra b/Dockerfile.astra
index 0f69a33..40f61a1 100644
--- a/Dockerfile.astra
+++ b/Dockerfile.astra
@@ -39,14 +39,12 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
     cargo build --release --package nora-registry && \
     cp /app/target/release/nora /usr/local/bin/nora
 
-# Runtime stage — Astra Linux Special Edition (certified FSTEC OS)
-FROM astralinux/alse:latest
+# Runtime stage — scratch (compatible with Astra Linux SE, no foreign OS components)
+# Switch FROM to registry.astralinux.ru/library/alse once registry access is configured
+FROM scratch
 
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN mkdir -p /data
+# CA certificates for TLS
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
 
diff --git a/Dockerfile.redos b/Dockerfile.redos
index b4e97b3..1b276be 100644
--- a/Dockerfile.redos
+++ b/Dockerfile.redos
@@ -39,12 +39,12 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
     cargo build --release --package nora-registry && \
     cp /app/target/release/nora /usr/local/bin/nora
 
-# Runtime stage — RED OS (certified FSTEC OS)
-FROM redos/redos:8
+# Runtime stage — scratch (compatible with RED OS, no foreign OS components)
+# Switch FROM to registry.red-soft.ru/redos once registry access is configured
+FROM scratch
 
-RUN dnf install -y ca-certificates && \
-    dnf clean all && \
-    mkdir -p /data
+# CA certificates for TLS
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora