diff --git a/SUSE/docker-compose/README.md b/SUSE/docker-compose/README.md
index 99e145e14..077d69de9 100644
--- a/SUSE/docker-compose/README.md
+++ b/SUSE/docker-compose/README.md
@@ -95,6 +95,13 @@ The initial user must be an email address associated with a valid remote account
 
 When configuring the authentication service, the callback URI should be the same as `public_url` above but with `/auth/oidc/callback` appended. For example, `https://sensor-demo.dyn.cloud.suse.de/auth/oidc/callback`
 
+The sensor frontend runs as user velociraptor in the container and needs permissions to some directories on the host. Find the ids that are baked into the image and chown the directories to those, e.g.:
+
+    # docker run --rm -t registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest id velociraptor
+    uid=499(velociraptor) gid=486(velociraptor) groups=486(velociraptor)
+
+    # chown 499:486 config/velociraptor logs/velociraptor data/velociraptor artifacts
+
 ### Traefik
 
 An example `traefik.toml` file is provided as `config/traefik/traefik.toml.example`. Several values must be filled in and the resultant file installed in `config/traefik/traefik.toml`.
diff --git a/SUSE/docker-compose/artifacts/README.md b/SUSE/docker-compose/artifacts/README.md
new file mode 100644
index 000000000..74d1a063c
--- /dev/null
+++ b/SUSE/docker-compose/artifacts/README.md
@@ -0,0 +1,4 @@
+Placeholder file
+=
+
+This file is a placeholder so that the artifacts  directory exists in the Git repository.
diff --git a/SUSE/docker-compose/docker-compose.yml b/SUSE/docker-compose/docker-compose.yml
index 8176f19c7..9dd019c57 100644
--- a/SUSE/docker-compose/docker-compose.yml
+++ b/SUSE/docker-compose/docker-compose.yml
@@ -31,10 +31,10 @@ services:
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     restart: unless-stopped
   sensor-frontend:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-frontend
     container_name: sensor-frontend
-    user: "1000:100"
+    user: "velociraptor:velociraptor"
     ports:
       - "8000:8000" # Frontend
       # - "8003:8003" # Monitoring
@@ -44,6 +44,7 @@ services:
       - ./config/velociraptor:/config
       - ./data/velociraptor:/data
       - ./logs/velociraptor:/logs
+      - ./artifacts:/artifacts
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     labels:
       traefik.enable: "true"
@@ -61,7 +62,7 @@ services:
     restart:
       unless-stopped
   sensor-client:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-client
     container_name: sensor-client
     user: root
diff --git a/SUSE/docker-compose/env.example b/SUSE/docker-compose/env.example
index 9de78a766..9259c9446 100644
--- a/SUSE/docker-compose/env.example
+++ b/SUSE/docker-compose/env.example
@@ -1 +1,2 @@
 SENSOR_GUI_HOSTNAME=<fully-qualified-domain-name-for-public-dns>
+SENSOR_IMAGE=registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
diff --git a/SUSE/docker/Dockerfile b/SUSE/docker/Dockerfile
index 6655f00b5..807649403 100644
--- a/SUSE/docker/Dockerfile
+++ b/SUSE/docker/Dockerfile
@@ -17,6 +17,7 @@ LABEL org.opensuse.reference="registry.opensuse.org/security/sensor/containers/l
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
diff --git a/SUSE/docker/Dockerfile.devel b/SUSE/docker/Dockerfile.devel
index 41178c703..6b1b2bc06 100644
--- a/SUSE/docker/Dockerfile.devel
+++ b/SUSE/docker/Dockerfile.devel
@@ -1,8 +1,11 @@
 FROM opensuse/leap:15.4
 
+ARG SENSOR_BIN=velociraptor-v0.7.0-4-linux-amd64
+
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
@@ -20,6 +23,9 @@ COPY entry-point.sh generate-config.sh /
 COPY init-config.json /etc/velociraptor/
 RUN chmod a+x /entry-point.sh /generate-config.sh
 RUN zypper -q --non-interactive install catatonit && zypper clean -a
-COPY velociraptor-v0.6.4-2-linux-amd64 /usr/bin/velociraptor
+COPY ${SENSOR_BIN} /usr/bin/velociraptor
+
+RUN groupadd velociraptor && useradd -c "Velociraptor User" -g velociraptor -d /var/lib/velociraptor -s /sbin/nologin velociraptor
+USER velociraptor:velociraptor
 
 CMD ["/usr/bin/catatonit", "--", "/entry-point.sh" ]
diff --git a/SUSE/docker/Dockerfile.local b/SUSE/docker/Dockerfile.local
index da7aa7edc..9a76bda65 100644
--- a/SUSE/docker/Dockerfile.local
+++ b/SUSE/docker/Dockerfile.local
@@ -3,6 +3,7 @@ FROM opensuse/leap:15.4
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
diff --git a/SUSE/docker/entry-point.sh b/SUSE/docker/entry-point.sh
index b2267d062..8e4dec279 100644
--- a/SUSE/docker/entry-point.sh
+++ b/SUSE/docker/entry-point.sh
@@ -7,4 +7,4 @@ if test ! -e "${SERVER_CONFIG}"; then
 	/generate-config.sh
 fi
 
-exec velociraptor frontend -v --config "${SERVER_CONFIG}"
+exec velociraptor frontend -v --config "${SERVER_CONFIG}" --definitions=/artifacts
diff --git a/SUSE/docker/generate-config.sh b/SUSE/docker/generate-config.sh
index 67b010605..5a2da9634 100644
--- a/SUSE/docker/generate-config.sh
+++ b/SUSE/docker/generate-config.sh
@@ -37,4 +37,4 @@ awk "
 { if (seen_client == 1 && skip_record != 1) print \$0; }
 " < "${SERVER_CONFIG}" > "${CLIENT_CONFIG}"
 
-sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"
+sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/#' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"