diff --git a/.konflux/scripts/rpm-prefetching/rpms.in.yaml b/.konflux/scripts/rpm-prefetching/rpms.in.yaml
new file mode 100644
index 000000000..ec40315aa
--- /dev/null
+++ b/.konflux/scripts/rpm-prefetching/rpms.in.yaml
@@ -0,0 +1,12 @@
+packages: [xz]
+contentOrigin:
+  repofiles: ["./ubi.repo"]
+context:
+  containerfile:
+    file: ../../../image/scanner/rhel/konflux.Dockerfile
+    stageName: scanner-common
+arches:
+  - aarch64
+  - ppc64le
+  - s390x
+  - x86_64
diff --git a/.konflux/scripts/rpm-prefetching/rpms.lock.yaml b/.konflux/scripts/rpm-prefetching/rpms.lock.yaml
new file mode 100644
index 000000000..55c92bdbb
--- /dev/null
+++ b/.konflux/scripts/rpm-prefetching/rpms.lock.yaml
@@ -0,0 +1,48 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/aarch64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.aarch64.rpm
+    repoid: ubi-8-baseos-rpms
+    size: 156276
+    checksum: sha256:342a2504cb34c9a5c1d43906f534cb1f3bf1de58ac517d575cff57053d04ab00
+    name: xz
+    evr: 5.2.4-4.el8_6
+    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+  source: []
+  module_metadata: []
+- arch: ppc64le
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/ppc64le/baseos/os/Packages/x/xz-5.2.4-4.el8_6.ppc64le.rpm
+    repoid: ubi-8-baseos-rpms
+    size: 162264
+    checksum: sha256:80d2fc754452ae52b3b36504e5cceb5cd5435a97999351402ae7a28298592a01
+    name: xz
+    evr: 5.2.4-4.el8_6
+    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+  source: []
+  module_metadata: []
+- arch: s390x
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/s390x/baseos/os/Packages/x/xz-5.2.4-4.el8_6.s390x.rpm
+    repoid: ubi-8-baseos-rpms
+    size: 155012
+    checksum: sha256:7fb678077d965dd6aeb09df28ce05cba9c22e4110d4b52f1ee43986beb87a5ff
+    name: xz
+    evr: 5.2.4-4.el8_6
+    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+  source: []
+  module_metadata: []
+- arch: x86_64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/Packages/x/xz-5.2.4-4.el8_6.x86_64.rpm
+    repoid: ubi-8-baseos-rpms
+    size: 156884
+    checksum: sha256:fa4ceb20dbf23e9408a6446fefc4b709bc85e0bc563ca423569bbe08ecee2c5e
+    name: xz
+    evr: 5.2.4-4.el8_6
+    sourcerpm: xz-5.2.4-4.el8_6.src.rpm
+  source: []
+  module_metadata: []
diff --git a/.konflux/scripts/rpm-prefetching/ubi.repo b/.konflux/scripts/rpm-prefetching/ubi.repo
new file mode 100644
index 000000000..ed37785b6
--- /dev/null
+++ b/.konflux/scripts/rpm-prefetching/ubi.repo
@@ -0,0 +1,20 @@
+[ubi-8-baseos-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-appstream-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-codeready-builder-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
diff --git a/.konflux/scripts/update-rpm-lockfile.sh b/.konflux/scripts/update-rpm-lockfile.sh
new file mode 100755
index 000000000..282770db4
--- /dev/null
+++ b/.konflux/scripts/update-rpm-lockfile.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+################################################
+# This script updates the RPM lockfile based on
+# the information in rpms.in.yaml.
+# If new RPMs are installed in the images, add
+# them to rpms.in.yaml and re-run this script.
+#
+# Usage: .konflux/scripts/update-rpm-lockfile.sh
+################################################
+
+set -euo pipefail
+
+RPM_LOCKFILE_VERSION="v0.13.2"
+BASE_IMAGE="registry.access.redhat.com/ubi8-minimal:latest"
+
+LOCAL_DIR="$(dirname "${BASH_SOURCE[0]}")/rpm-prefetching"
+RPM_LOCKFILE_RUNNER_IMAGE="localhost/rpm-lockfile-runner:latest"
+
+fetch_ubi_repo_definitions() {
+  podman run "${BASE_IMAGE}" cat /etc/yum.repos.d/ubi.repo > "${LOCAL_DIR}/ubi.repo"
+}
+
+build_rpm_lockfile_runner_image() {
+  curl "https://raw.githubusercontent.com/konflux-ci/rpm-lockfile-prototype/refs/tags/${RPM_LOCKFILE_VERSION}/Containerfile" \
+    | podman build -t "${RPM_LOCKFILE_RUNNER_IMAGE}" \
+      --build-arg GIT_REF=tags/${RPM_LOCKFILE_VERSION} -
+}
+
+run_rpm_lockfile_runner() {
+  local container_dir=/work
+  podman run --rm -v "$(pwd):${container_dir}" \
+    "${RPM_LOCKFILE_RUNNER_IMAGE}" \
+    --outfile="${container_dir}/${LOCAL_DIR}/rpms.lock.yaml" \
+    "${container_dir}/${LOCAL_DIR}/rpms.in.yaml"
+}
+
+fetch_ubi_repo_definitions
+build_rpm_lockfile_runner_image
+run_rpm_lockfile_runner
diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml
index 2a8113455..33c125b06 100644
--- a/.tekton/scanner-build.yaml
+++ b/.tekton/scanner-build.yaml
@@ -44,11 +44,10 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
-  # - name: hermetic
-  #   value: "true"
+  - name: hermetic
+    value: "true"
   - name: prefetch-input
-    value: '{"type": "gomod", "path": "."}'
+    value: '[{"type": "gomod", "path": "."}, {"type": "rpm", "path": ".konflux/scripts/rpm-prefetching"}]'
   - name: build-source-image
     value: 'true'
   - name: build-target-stage
diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml
index eb0322548..db76b514f 100644
--- a/.tekton/scanner-component-pipeline.yaml
+++ b/.tekton/scanner-component-pipeline.yaml
@@ -230,6 +230,9 @@ spec:
       value: $(params.output-image-repo):konflux-$(params.revision).prefetch
     - name: ociArtifactExpiresAfter
       value: $(params.oci-artifact-expires-after)
+    # Required for RPM prefetching support
+    - name: dev-package-managers
+      value: "true"
     taskRef:
       params:
       - name: name
diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml
index fd2b10bf3..9b5f13f98 100644
--- a/.tekton/scanner-db-build.yaml
+++ b/.tekton/scanner-db-build.yaml
@@ -44,9 +44,8 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
-  # - name: hermetic
-  #   value: "true"
+  - name: hermetic
+    value: "true"
   # No language dependencies are required for scanner-db image.
   - name: prefetch-input
     value: ''
diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml
index a02bd0956..408f4b1b9 100644
--- a/.tekton/scanner-db-slim-build.yaml
+++ b/.tekton/scanner-db-slim-build.yaml
@@ -44,9 +44,8 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
-  # - name: hermetic
-  #   value: "true"
+  - name: hermetic
+    value: "true"
   # No language dependencies are required for scanner-db-slim image.
   - name: prefetch-input
     value: ''
diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml
index 18f48e1fd..1c49e620c 100644
--- a/.tekton/scanner-slim-build.yaml
+++ b/.tekton/scanner-slim-build.yaml
@@ -44,11 +44,10 @@ spec:
     value: '{{revision}}'
   - name: rebuild
     value: 'true'
-  # TODO(ROX-20234): Enable hermetic builds
-  # - name: hermetic
-  #   value: "true"
+  - name: hermetic
+    value: "true"
   - name: prefetch-input
-    value: '{"type": "gomod", "path": "."}'
+    value: '[{"type": "gomod", "path": "."}, {"type": "rpm", "path": ".konflux/scripts/rpm-prefetching"}]'
   - name: build-source-image
     value: 'true'
   - name: build-target-stage
diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index 79049bdfa..df52c70b9 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -30,8 +30,7 @@ COPY image/db/rhel/scripts/docker-entrypoint.sh \
 
 COPY LICENSE /licenses/LICENSE
 
-RUN dnf upgrade -y --nobest && \
-    localedef -f UTF-8 -i en_US en_US.UTF-8 && \
+RUN localedef -f UTF-8 -i en_US en_US.UTF-8 && \
     mkdir -p /var/lib/postgresql && \
     groupmod -g 70 postgres && \
     usermod -u 70 postgres -d /var/lib/postgresql && \
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index 731cd1125..c24a0bd50 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -1,8 +1,3 @@
-ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
-ARG BASE_TAG=latest
-
-
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.22 AS builder
 
@@ -35,7 +30,7 @@ COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesi
 
 
 # Common base for scanner slim and full
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS scanner-common
+FROM registry.access.redhat.com/ubi8-minimal:latest AS scanner-common
 
 ARG SCANNER_TAG
 
@@ -66,8 +61,7 @@ COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifest
 
 COPY LICENSE /licenses/LICENSE
 
-RUN microdnf upgrade --nobest && \
-    microdnf install xz && \
+RUN microdnf install xz && \
     microdnf clean all && \
     # (Optional) Remove line below to keep package management utilities
     # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.