diff --git a/go.mod b/go.mod
index 8a55d622..7aea38ef 100644
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b
 	github.com/defenseunicorns/zarf v0.32.3
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/goccy/go-yaml v1.11.3
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/mholt/archiver/v4 v4.0.0-alpha.8
@@ -197,7 +198,6 @@ require (
 	github.com/fluxcd/pkg/apis/kustomize v1.3.0 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.3.0 // indirect
 	github.com/fluxcd/source-controller/api v1.2.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
diff --git a/src/pkg/bundle/tarball.go b/src/pkg/bundle/tarball.go
index f7b53dd3..360b4f41 100644
--- a/src/pkg/bundle/tarball.go
+++ b/src/pkg/bundle/tarball.go
@@ -40,7 +40,7 @@ func (tp *tarballBundleProvider) CreateBundleSBOM(extractSBOM bool) error {
 		return err
 	}
 	// make tmp dir for pkg SBOM extraction
-	err = os.Mkdir(filepath.Join(tp.dst, config.BundleSBOM), 0700)
+	err = os.Mkdir(filepath.Join(tp.dst, config.BundleSBOM), 0o700)
 	if err != nil {
 		return err
 	}
@@ -117,26 +117,30 @@ func (tp *tarballBundleProvider) getBundleManifest() error {
 	if tp.bundleRootManifest != nil {
 		return nil
 	}
+	// Create a secure temporary directory for handling files
+	secureTempDir, err := zarfUtils.MakeTempDir(config.CommonOptions.TempDirectory)
+	if err != nil {
+		return fmt.Errorf("failed to create a secure temporary directory: %w", err)
+	}
+	defer os.RemoveAll(secureTempDir) // Ensure cleanup of the temp directory
 
-	if err := av3.Extract(tp.src, "index.json", tp.dst); err != nil {
+	if err := av3.Extract(tp.src, "index.json", secureTempDir); err != nil {
 		return fmt.Errorf("failed to extract index.json from %s: %w", tp.src, err)
 	}
-
-	indexPath := filepath.Join(tp.dst, "index.json")
+	indexPath := filepath.Join(secureTempDir, "index.json")
 
 	defer os.Remove(indexPath)
 
 	b, err := os.ReadFile(indexPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read index.json: %w", err)
 	}
 
 	var index ocispec.Index
 
 	if err := json.Unmarshal(b, &index); err != nil {
-		return err
+		return fmt.Errorf("failed to unmarshal index.json: %w", err)
 	}
-
 	// local bundles only have one manifest entry in their index.json
 	bundleManifestDesc := index.Manifests[0]
 	tp.bundleRootDesc = bundleManifestDesc
@@ -147,11 +151,11 @@ func (tp *tarballBundleProvider) getBundleManifest() error {
 
 	manifestRelativePath := filepath.Join(config.BlobsDir, bundleManifestDesc.Digest.Encoded())
 
-	if err := av3.Extract(tp.src, manifestRelativePath, tp.dst); err != nil {
+	if err := av3.Extract(tp.src, manifestRelativePath, secureTempDir); err != nil {
 		return fmt.Errorf("failed to extract %s from %s: %w", bundleManifestDesc.Digest.Encoded(), tp.src, err)
 	}
 
-	manifestPath := filepath.Join(tp.dst, manifestRelativePath)
+	manifestPath := filepath.Join(secureTempDir, manifestRelativePath)
 
 	defer os.Remove(manifestPath)