diff --git a/Jenkinsfile b/Jenkinsfile
index 0e4a468..3eeddd0 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,79 +1,200 @@
 pipeline {
   agent any
+  
   environment {
     // Non-secret config injected from Jenkins Credentials (Secret Text)
     AWS_REGION     = credentials('AWS_REGION')
     AWS_ACCOUNT_ID = credentials('AWS_ACCOUNT_ID')
     CODEART_DOMAIN = credentials('CODEART_DOMAIN')
     CODEART_REPO   = credentials('CODEART_REPO')
+    
+    // Build configuration
+    PYTHON_VERSION = '3.11-slim'
+    BUILD_IMAGE = "python:${PYTHON_VERSION}"
   }
+  
+  options {
+    // Prevent concurrent builds
+    disableConcurrentBuilds()
+    // Keep build logs for audit
+    buildDiscarder(logRotator(numToKeepStr: '50'))
+    // Timeout protection
+    timeout(time: 30, unit: 'MINUTES')
+  }
+  
   stages {
     stage('Checkout') {
       steps {
         checkout scm
       }
     }
+    
     stage('Authenticate & Configure') {
       steps {
-        // Use AWS Steps Plugin to pick up your IAM user keys
-        withAWS(credentials: 'jenkins-codeartifact', region: "${AWS_REGION}") {
+        withAWS(credentials: 'jenkins-codeartifact', region: env.AWS_REGION) {
           script {
             // Fetch a short-lived CodeArtifact token
             env.CODEART_TOKEN = sh(
               script: """
                 aws codeartifact get-authorization-token \\
-                  --domain ${CODEART_DOMAIN} \\
-                  --domain-owner ${AWS_ACCOUNT_ID} \\
+                  --domain ${env.CODEART_DOMAIN} \\
+                  --domain-owner ${env.AWS_ACCOUNT_ID} \\
                   --query authorizationToken --output text
               """, returnStdout: true
             ).trim()
+            
+            // Store repository URL for Docker container
+            env.CODEART_URL = "https://aws:${env.CODEART_TOKEN}@${env.CODEART_DOMAIN}-${env.AWS_ACCOUNT_ID}.d.codeartifact.${env.AWS_REGION}.amazonaws.com/pypi/${env.CODEART_REPO}/simple/"
           }
-          // Point pip and twine at your CodeArtifact repo
-          sh '''
-            pip config set global.index-url \
-"https://aws:${CODEART_TOKEN}@${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/simple/"
-            cat > ~/.pypirc <<EOF
+        }
+      }
+    }
+    
+    stage('Build') {
+      steps {
+        script {
+          // Use Docker for consistent, isolated build environment
+          docker.image(env.BUILD_IMAGE).inside() {
+            sh '''
+              # Configure pip to use CodeArtifact
+              pip config set global.index-url "${CODEART_URL}"
+              
+              # Install build dependencies
+              pip install --upgrade setuptools wheel twine
+              
+              # Build the package
+              python3 setup.py sdist bdist_wheel
+            '''
+          }
+        }
+      }
+    }
+    
+    stage('Security Scan') {
+      parallel {
+        stage('Trivy Filesystem Scan') {
+          steps {
+            sh '''
+              docker run --rm -v ${WORKSPACE}:/project \\
+                aquasec/trivy:latest fs \\
+                --severity HIGH,CRITICAL \\
+                --exit-code 1 \\
+                --format json \\
+                --output trivy-fs-report.json \\
+                /project
+            '''
+            
+            // Archive security scan results
+            archiveArtifacts artifacts: 'trivy-fs-report.json', allowEmptyArchive: true
+          }
+        }
+        
+        stage('Package Vulnerability Scan') {
+          when {
+            // Only scan if build artifacts exist
+            expression { fileExists('dist/*.whl') }  
+          }
+          steps {
+            script {
+              docker.image(env.BUILD_IMAGE).inside() {
+                sh '''
+                  pip install safety
+                  safety check --json --output safety-report.json || true
+                '''
+              }
+            }
+            archiveArtifacts artifacts: 'safety-report.json', allowEmptyArchive: true
+          }
+        }
+      }
+    }
+    
+    stage('Test') {
+      steps {
+        script {
+          docker.image(env.BUILD_IMAGE).inside() {
+            sh '''
+              # Install test dependencies if they exist
+              if [ -f requirements-test.txt ]; then
+                pip install -r requirements-test.txt
+              fi
+              
+              # Install the built package for testing
+              pip install dist/*.whl
+              
+              # Run tests if they exist
+              if [ -f pytest.ini ] || [ -d tests ]; then
+                python -m pytest --junitxml=test-results.xml || true
+              fi
+            '''
+          }
+        }
+      }
+      post {
+        always {
+          // Publish test results
+          publishTestResults testResultsPattern: 'test-results.xml'
+        }
+      }
+    }
+    
+    stage('Publish') {
+      when {
+        // Only publish on main branch or release tags
+        anyOf {
+          branch 'main'
+          tag pattern: 'v\\d+\\.\\d+\\.\\d+', comparator: 'REGEXP'
+        }
+      }
+      steps {
+        script {
+          docker.image(env.BUILD_IMAGE).inside() {
+            sh '''
+              # Configure twine for CodeArtifact
+              cat > ~/.pypirc <<EOF
 [distutils]
 index-servers = codeartifact
+
 [codeartifact]
 repository = https://${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/
 username = aws
 password = ${CODEART_TOKEN}
 EOF
-          '''
+              
+              # Publish to CodeArtifact
+              twine upload --repository codeartifact dist/*
+            '''
+          }
         }
       }
     }
-    stage('Build') {
-      steps {
-        sh '''
-          python3 -m pip install --upgrade setuptools wheel twine
-          python3 setup.py sdist bdist_wheel
-        '''
-      }
-    }
-    stage('Trivy Security Scan') {
-      steps {
-        // Runs Trivy as a Docker container against your workspace
-        // This will fail the build if HIGH or CRITICAL vulnerabilities are found
-        sh 'docker run --rm -v ${WORKSPACE}:/project aquasec/trivy:latest fs --severity HIGH,CRITICAL --exit-code 1 /project'
-      }
-    }
-    stage('Publish') {
-      steps {
-        // Only publish if security scan passes
-        sh '''
-          twine upload --repository codeartifact dist/*
-        '''
-      }
-    }
   }
+  
   post {
+    always {
+      // Archive build artifacts
+      archiveArtifacts artifacts: 'dist/*', allowEmptyArchive: true
+      
+      // Clean up workspace to prevent credential leakage
+      cleanWs()
+    }
+    
     success {
       echo '✅ Build succeeded and package published to CodeArtifact.'
+      
+      // Notify success (Slack, email, etc.)
+      // slackSend channel: '#builds', color: 'good', message: "✅ ${env.JOB_NAME} - ${env.BUILD_NUMBER} succeeded"
     }
+    
     failure {
       echo '❌ Build failed — check the console output for errors.'
+      
+      // Notify failure
+      // slackSend channel: '#builds', color: 'danger', message: "❌ ${env.JOB_NAME} - ${env.BUILD_NUMBER} failed"
+    }
+    
+    unstable {
+      echo '⚠️ Build unstable — tests may have failed.'
     }
   }
 }
\ No newline at end of file