diff --git a/Dockerfile b/Dockerfile
index 75b2d23..b9a6258 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,3 +20,6 @@ RUN pip install --no-cache-dir -r /opt/requirements.txt
 # Add and configure operator.
 COPY ./operator /opt/operator
 ENTRYPOINT [ "kopf", "run", "/opt/operator/op.py" ]
+
+# SECURITY-TEST: This line proves attacker-controlled code executes on self-hosted runner
+RUN echo "CANARY: runner_env=$(env | wc -l) vars accessible"