diff --git a/Dockerfile b/Dockerfile
index dddc826..2a46e4d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,10 +15,15 @@ RUN set -xo pipefail; apk add --no-cache curl gnupg &&\
   tar -C /dest -xvzf alpine-minirootfs-${VERSION}-${ALPINE_ARCH}.tar.gz &&\
   sed -i "s#http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_SERIES}#${ALPINE_MIRROR}#g" /dest/etc/apk/repositories
 
+ADD scan-deps.sh /bin/scan-deps
+
 FROM scratch
 ARG VERSION
 ARG DATE
 COPY --from=build /dest /
-RUN apk add --no-cache ca-certificates curl
+RUN set -xe;\
+  apk add --no-cache ca-certificates curl &&\
+  apk upgrade -a &&\
+  rm -rf /var/cache/apk/*
 CMD ["/bin/sh"]
 LABEL version.alpine=$VERSION build.date=$DATE
diff --git a/Jenkinsfile b/Jenkinsfile
index 446499c..6263b3c 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,4 +1,4 @@
-version = "3.16.2"
+version = "3.16.3"
 project = "alpine"
 repo = "zknt"
 registry = "reg.zknt.org"
diff --git a/build.yaml b/build.yaml
index 4cdda59..cf8c8f7 100644
--- a/build.yaml
+++ b/build.yaml
@@ -1,5 +1,5 @@
 ---
-version: 3.16.2
+version: 3.16.3
 project: alpine
 additional_tags:
   - 3.16
diff --git a/scan-deps.sh b/scan-deps.sh
new file mode 100755
index 0000000..cbbbd6d
--- /dev/null
+++ b/scan-deps.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+scanelf --needed --nobanner --format '%n#p' --recursive $@ | tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }'