diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 338531881a2..fdf26617a18 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -72,7 +72,7 @@ jobs:
     environment: deploy
     strategy:
       matrix:
-        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview"]
+        id: ["operator-sdk", "helm-operator", "scorecard-test", "ansible-operator", "ansible-operator-2.11-preview", "scorecard-storage", "scorecard-untar"]
     steps:
 
     - name: set up qemu
diff --git a/Makefile b/Makefile
index 008ea2738d9..234e3372c4d 100644
--- a/Makefile
+++ b/Makefile
@@ -92,7 +92,7 @@ build/scorecard-test build/scorecard-test-kuttl build/custom-scorecard-tests:
 
 # Convenience wrapper for building all remotely hosted images.
 .PHONY: image-build
-IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl
+IMAGE_TARGET_LIST = operator-sdk helm-operator ansible-operator ansible-operator-2.11-preview scorecard-test scorecard-test-kuttl scorecard-untar scorecard-storage
 image-build: $(foreach i,$(IMAGE_TARGET_LIST),image/$(i)) ## Build all images.
 
 # Convenience wrapper for building dependency base images.
diff --git a/changelog/fragments/03-scorecard-image-psa.yaml b/changelog/fragments/03-scorecard-image-psa.yaml
new file mode 100644
index 00000000000..af142f529c9
--- /dev/null
+++ b/changelog/fragments/03-scorecard-image-psa.yaml
@@ -0,0 +1,18 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (scorecard): update default storage and untar images to images
+      that run as non-root users by default. This ensures full compliance
+      with restricted PSA guidelines when using `--pod-security=restricted`.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false
diff --git a/images/scorecard-storage/Dockerfile b/images/scorecard-storage/Dockerfile
new file mode 100644
index 00000000000..d0a17eba198
--- /dev/null
+++ b/images/scorecard-storage/Dockerfile
@@ -0,0 +1,12 @@
+FROM docker.io/busybox:1.36
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/images/scorecard-untar/Dockerfile b/images/scorecard-untar/Dockerfile
new file mode 100644
index 00000000000..a6f72053748
--- /dev/null
+++ b/images/scorecard-untar/Dockerfile
@@ -0,0 +1,12 @@
+FROM registry.access.redhat.com/ubi8:8.7
+
+## Create a new non-root user to run as
+ENV HOME=/opt/scorecard-untar \
+    USER_NAME=scorecard-untar \
+    USER_UID=1001
+
+RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
+
+WORKDIR ${HOME}
+
+USER ${USER_UID}
diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go
index 13b21138789..7265ac4055a 100644
--- a/internal/cmd/operator-sdk/scorecard/cmd.go
+++ b/internal/cmd/operator-sdk/scorecard/cmd.go
@@ -91,10 +91,10 @@ If the argument holds an image tag, it must be present remotely.`,
 	scorecardCmd.Flags().DurationVarP(&c.waitTime, "wait-time", "w", 30*time.Second,
 		"seconds to wait for tests to complete. Example: 35s")
 	scorecardCmd.Flags().StringVarP(&c.storageImage, "storage-image", "b",
-		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
+		"quay.io/operator-framework/scorecard-storage:latest",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"quay.io/operator-framework/scorecard-untar:latest",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")
diff --git a/internal/cmd/operator-sdk/scorecard/cmd_test.go b/internal/cmd/operator-sdk/scorecard/cmd_test.go
index 2fc5d83dab4..9f68f072f8e 100644
--- a/internal/cmd/operator-sdk/scorecard/cmd_test.go
+++ b/internal/cmd/operator-sdk/scorecard/cmd_test.go
@@ -69,12 +69,12 @@ var _ = Describe("Running the scorecard command", func() {
 			flag = cmd.Flags().Lookup("storage-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("b"))
-			Expect(flag.DefValue).To(Equal("docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-storage:latest"))
 
 			flag = cmd.Flags().Lookup("untar-image")
 			Expect(flag).NotTo(BeNil())
 			Expect(flag.Shorthand).To(Equal("u"))
-			Expect(flag.DefValue).To(Equal("registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7"))
+			Expect(flag.DefValue).To(Equal("quay.io/operator-framework/scorecard-untar:latest"))
 		})
 	})
 
diff --git a/internal/scorecard/scorecard.go b/internal/scorecard/scorecard.go
index 82d739be17b..8656fbfda07 100644
--- a/internal/scorecard/scorecard.go
+++ b/internal/scorecard/scorecard.go
@@ -227,8 +227,6 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat
 		// creating a pod security context to support running in default namespace
 		podSecCtx := v1.PodSecurityContext{}
 		podSecCtx.RunAsNonRoot = &podSec
-		podSecCtx.RunAsUser = &[]int64{1000}[0]
-		podSecCtx.RunAsGroup = &[]int64{1000}[0]
 		podSecCtx.SeccompProfile = &v1.SeccompProfile{
 			Type: v1.SeccompProfileTypeRuntimeDefault,
 		}
diff --git a/website/content/en/docs/cli/operator-sdk_scorecard.md b/website/content/en/docs/cli/operator-sdk_scorecard.md
index 625b7e8f172..5b5e85ea0eb 100644
--- a/website/content/en/docs/cli/operator-sdk_scorecard.md
+++ b/website/content/en/docs/cli/operator-sdk_scorecard.md
@@ -28,9 +28,9 @@ operator-sdk scorecard [flags]
   -l, --selector string          label selector to determine which tests are run
   -s, --service-account string   Service account to use for tests (default "default")
   -x, --skip-cleanup             Disable resource cleanup after tests are run
-  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af")
+  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-storage:latest")
   -t, --test-output string       Test output directory. (default "test-output")
-  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7")
+  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-untar:latest")
   -w, --wait-time duration       seconds to wait for tests to complete. Example: 35s (default 30s)
 ```