diff --git a/internal/source/containers_image.go b/internal/source/containers_image.go
index 3dd73568..5c611148 100644
--- a/internal/source/containers_image.go
+++ b/internal/source/containers_image.go
@@ -337,6 +337,8 @@ func applyLayerFilter(srcPath string) archive.Filter {
 		h.Uid = os.Getuid()
 		h.Gid = os.Getgid()
 		h.Mode |= 0700
+		h.PAXRecords = nil
+		h.Xattrs = nil //nolint:staticcheck
 
 		cleanName := path.Clean(strings.TrimPrefix(h.Name, "/"))
 		relPath, err := filepath.Rel(cleanSrcPath, cleanName)
diff --git a/internal/source/containers_image_internal_test.go b/internal/source/containers_image_internal_test.go
index 0c3ba128..23e72a8b 100644
--- a/internal/source/containers_image_internal_test.go
+++ b/internal/source/containers_image_internal_test.go
@@ -2,9 +2,11 @@ package source
 
 import (
 	"archive/tar"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/rand"
 )
 
 func TestContainersImage_applyLayerFilter(t *testing.T) {
@@ -116,6 +118,34 @@ func TestContainersImage_applyLayerFilter(t *testing.T) {
 				assert.NoError(t, err)
 			},
 		},
+		{
+			name:     "correctly sets permissions, uid/gid, and file attributes",
+			srcPaths: []string{"foo"},
+			tarHeaders: []tar.Header{
+				{
+					Name: "foo/bar",
+					Mode: 0000,
+					Uid:  rand.Int(),
+					Gid:  rand.Int(),
+					Xattrs: map[string]string{ //nolint:staticcheck
+						"foo": "bar",
+					},
+					PAXRecords: map[string]string{
+						"fizz": "buzz",
+					},
+				},
+			},
+			assertion: func(tarHeader *tar.Header, keep bool, err error) {
+				assert.True(t, keep)
+				assert.NoError(t, err)
+				assert.Equal(t, "foo/bar", tarHeader.Name)
+				assert.Equal(t, int64(0700), tarHeader.Mode)
+				assert.Equal(t, os.Getuid(), tarHeader.Uid)
+				assert.Equal(t, os.Getgid(), tarHeader.Gid)
+				assert.Nil(t, tarHeader.PAXRecords)
+				assert.Nil(t, tarHeader.Xattrs) //nolint:staticcheck
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			for _, srcPath := range tc.srcPaths {