diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 442465f30..742370254 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -11,7 +11,6 @@ jobs:
       matrix:
         workdir:
         - servers/cromwell
-        - servers/dsub
         - ui
 
     steps:
diff --git a/README.md b/README.md
index 11c91f96d..af48e40d3 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,11 @@
 # Job Manager
 
 [![CircleCI branch](https://img.shields.io/circleci/project/github/DataBiosphere/job-manager/master.svg?label=Tests%20on%20Circle%20CI&style=flat-square)](https://circleci.com/gh/DataBiosphere/job-manager/tree/master)
-![Github](https://img.shields.io/badge/Supported%20Backends-cromwell%20%7C%20dsub-blue.svg?&style=flat-square)
+![Github](https://img.shields.io/badge/Supported%20Backends-cromwell-blue.svg?&style=flat-square)
 ![GitHub](https://img.shields.io/github/license/DataBiosphere/job-manager.svg?color=orange&style=flat-square)
 [![GitHub release](https://img.shields.io/github/release/DataBiosphere/job-manager.svg?label=Latest%20Release&style=flat-square&colorB=green)](https://github.com/DataBiosphere/job-manager/releases)
-[![Github](https://img.shields.io/badge/Docker%20Image-UI-blue.svg?style=flat-square)](https://cloud.docker.com/u/databiosphere/repository/docker/databiosphere/job-manager-ui)
-[![Github](https://img.shields.io/badge/Docker%20Image-dsub%20shim%20API-blue.svg?style=flat-square)](https://cloud.docker.com/u/databiosphere/repository/docker/databiosphere/job-manager-api-dsub)
-[![Github](https://img.shields.io/badge/Docker%20Image-cromwell%20shim%20API-blue.svg?style=flat-square)](https://cloud.docker.com/u/databiosphere/repository/docker/databiosphere/job-manager-api-cromwell)
+[![Github](https://img.shields.io/badge/Docker%20Image-UI-blue.svg?style=flat-square)](https://console.cloud.google.com/gcr/images/broad-dsp-gcr-public/US/job-manager-ui)
+[![Github](https://img.shields.io/badge/Docker%20Image-cromwell%20shim%20API-blue.svg?style=flat-square)](https://console.cloud.google.com/gcr/images/broad-dsp-gcr-public/US/job-manager-api-cromwell)
 
 ## Lifecycle notice
 
diff --git a/servers/cromwell/Dockerfile b/servers/cromwell/Dockerfile
index f39d3783a..4acca1057 100644
--- a/servers/cromwell/Dockerfile
+++ b/servers/cromwell/Dockerfile
@@ -6,6 +6,7 @@ ADD ./ /job-manager
 
 RUN /bin/bash -c scripts/rebuild_swagger.sh
 
+# We cannot yet adopt a blessed Python image because Job Manager uses python2 and blessed only has 3
 FROM gcr.io/google-appengine/python
 
 WORKDIR /app
diff --git a/servers/dsub/Dockerfile b/servers/dsub/Dockerfile
deleted file mode 100644
index 69d30145e..000000000
--- a/servers/dsub/Dockerfile
+++ /dev/null
@@ -1,27 +0,0 @@
-FROM openjdk
-
-WORKDIR /job-manager
-
-ADD ./ /job-manager
-
-RUN /bin/bash -c scripts/rebuild_swagger.sh
-
-FROM gcr.io/google-appengine/python
-RUN virtualenv --no-download /env -p python
-
-# Set virtualenv environment variables. This is equivalent to running
-# source /env/bin/activate
-ENV VIRTUAL_ENV /env
-ENV PATH /env/bin:$PATH
-
-WORKDIR /app
-COPY --from=0 /job-manager/servers/jm_utils /app/jm_utils
-COPY --from=0 /job-manager/servers/dsub/jobs /app/jobs
-COPY ./servers/dsub/requirements.txt /app/jobs
-RUN cd jobs && pip install -r requirements.txt
-# We installed jm_utils so don't need local copy anymore, which breaks imports
-RUN rm -rf jm_utils
-
-# Missing required arguments -b PORT, -e ... which must be provided by the
-# docker image user.
-ENTRYPOINT ["/env/bin/gunicorn", "jobs.__main__:app"]
diff --git a/servers/dsub/Dockerfile.dev b/servers/dsub/Dockerfile.dev
deleted file mode 100644
index 62f6b3237..000000000
--- a/servers/dsub/Dockerfile.dev
+++ /dev/null
@@ -1,21 +0,0 @@
-# Note: This is the dockerfile for development purposes
-
-FROM gcr.io/google-appengine/python
-RUN virtualenv --no-download /env -p python
-
-# Set virtualenv environment variables. This is equivalent to running
-# source /env/bin/activate
-ENV VIRTUAL_ENV /env
-ENV PATH /env/bin:$PATH
-
-WORKDIR /app
-ADD jm_utils /app/jm_utils
-ADD dsub/jobs /app/jobs
-ADD dsub/requirements.txt /app/jobs
-RUN cd jobs && pip install -r requirements.txt
-# We installed jm_utils so don't need local copy anymore, which breaks imports
-RUN rm -rf jm_utils
-
-# Missing required arguments -b PORT, -e ... which must be provided by the
-# docker image user.
-ENTRYPOINT ["/bin/bash", "/scripts/await_md5_match.sh", "/app/jobs/models/.jobs.yaml.md5", "--", "/env/bin/gunicorn", "jobs.__main__:app"]
diff --git a/servers/dsub/Dockerfile.local b/servers/dsub/Dockerfile.local
deleted file mode 100644
index b5bf163e4..000000000
--- a/servers/dsub/Dockerfile.local
+++ /dev/null
@@ -1,31 +0,0 @@
-# Note: This is the dockerfile for development purposes
-
-FROM gcr.io/google-appengine/python
-RUN virtualenv --no-download /env -p python
-
-# Set virtualenv environment variables. This is equivalent to running
-# source /env/bin/activate
-ENV VIRTUAL_ENV /env
-ENV PATH /env/bin:$PATH
-
-WORKDIR /app
-ADD jm_utils /app/jm_utils
-ADD dsub/jobs /app/jobs
-ADD dsub/requirements.txt /app/jobs
-RUN cd jobs && pip install -r requirements.txt
-# We installed jm_utils so don't need local copy anymore, which breaks imports
-RUN rm -rf jm_utils
-
-# Install docker-ce for dsub local provider
-RUN apt-get update
-RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
-RUN apt-get install -y --no-install-recommends apt-utils
-RUN apt-get install -y apt-utils apt-transport-https ca-certificates curl gnupg2 software-properties-common
-RUN curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add -
-RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable"
-RUN apt-get update
-RUN apt-get install -y docker-ce
-
-# Missing required arguments -b PORT, -e ... which must be provided by the
-# docker image user.
-ENTRYPOINT ["/bin/bash", "/scripts/await_md5_match.sh", "/app/jobs/models/.jobs.yaml.md5", "--", "/env/bin/gunicorn", "jobs.__main__:app"]
diff --git a/ui/Dockerfile b/ui/Dockerfile
index ed01397aa..1c610153c 100644
--- a/ui/Dockerfile
+++ b/ui/Dockerfile
@@ -21,7 +21,7 @@ RUN npm install
 
 RUN /ui/node_modules/.bin/ng build --prod
 
-FROM nginx:mainline-alpine
+FROM us.gcr.io/broad-dsp-gcr-public/base/nginx:mainline-alpine
 
 COPY --from=1 /ui/dist /ui/dist
 ADD ./ui/nginx.prod.conf /etc/nginx/nginx.conf
diff --git a/ui/nginx.prod.conf b/ui/nginx.prod.conf
index b9343bd2f..2e946c17d 100644
--- a/ui/nginx.prod.conf
+++ b/ui/nginx.prod.conf
@@ -4,6 +4,11 @@
 # Note: this nginx configuration is a default template, to deploy Job Manager on various types of servers,
 # such as Google App Engine, Google Kubernetes Engine, etc. please override this file
 
+# For compatibility with Nginx "unprivileged" blessed base image [0], put the PID somewhere not-privileged [1]
+# [0] https://github.com/broadinstitute/dsp-appsec-blessed-images/blob/main/nginx/Dockerfile.stable-alpine#L1
+# [1] https://broadinstitute.slack.com/archives/CADU7L0SZ/p1627588528360200?thread_ts=1627578911.354100&cid=CADU7L0SZ
+pid /tmp/nginx.pid;
+
 # Required - just leave the defaults for now.
 events {}