diff --git a/packages/@aws-cdk/core/lib/asset-staging.ts b/packages/@aws-cdk/core/lib/asset-staging.ts
index 44ab0de0bdd5d..89f7257ae522a 100644
--- a/packages/@aws-cdk/core/lib/asset-staging.ts
+++ b/packages/@aws-cdk/core/lib/asset-staging.ts
@@ -463,6 +463,7 @@ export class AssetStaging extends CoreConstruct {
           volumes,
           environment: options.environment,
           workingDirectory: options.workingDirectory ?? AssetStaging.BUNDLING_INPUT_DIR,
+          securityOpt: options.securityOpt ?? '',
         });
       }
     } catch (err) {
diff --git a/packages/@aws-cdk/core/lib/bundling.ts b/packages/@aws-cdk/core/lib/bundling.ts
index 81315ee94be0d..c6b6b66881771 100644
--- a/packages/@aws-cdk/core/lib/bundling.ts
+++ b/packages/@aws-cdk/core/lib/bundling.ts
@@ -86,6 +86,14 @@ export interface BundlingOptions {
    *
    */
   readonly outputType?: BundlingOutput;
+
+  /**
+   * [Security configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
+   * when running the docker container.
+   *
+   * @default - no security options
+   */
+  readonly securityOpt?: string;
 }
 
 /**
@@ -413,7 +421,7 @@ export interface DockerRunOptions {
    * [Security configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
    * when running the docker container.
    *
-   * @default - no secutiy options
+   * @default - no security options
    */
   readonly securityOpt?: string;
 }
diff --git a/packages/@aws-cdk/core/test/staging.test.ts b/packages/@aws-cdk/core/test/staging.test.ts
index e492f0a2dce88..c55e7a9286326 100644
--- a/packages/@aws-cdk/core/test/staging.test.ts
+++ b/packages/@aws-cdk/core/test/staging.test.ts
@@ -597,6 +597,34 @@ nodeunitShim({
     test.done();
   },
 
+
+  'bundling with docker security option'(test: Test) {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'stack');
+    const directory = path.join(__dirname, 'fs', 'fixtures', 'test1');
+
+    // WHEN
+    const asset = new AssetStaging(stack, 'Asset', {
+      sourcePath: directory,
+      bundling: {
+        image: BundlingDockerImage.fromRegistry('alpine'),
+        command: [DockerStubCommand.SUCCESS],
+        securityOpt: 'no-new-privileges',
+      },
+      assetHashType: AssetHashType.BUNDLE,
+    });
+
+    // THEN
+    test.equal(
+      readDockerStubInput(),
+      `run --rm --security-opt no-new-privileges ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
+    );
+    test.equal(asset.assetHash, '33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f');
+
+    test.done();
+  },
+
   'bundling with OUTPUT asset hash type'(test: Test) {
     // GIVEN
     const app = new App();