diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c803f98..c25b39bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,8 @@ listed in the changelog.
 
 - sonar-scanner invocations stderr not captured ([#719](https://github.com/opendevstack/ods-pipeline/issues/719))
 
+- run-sonarqube.sh typically not working on apple silicon ([#711](https://github.com/opendevstack/ods-pipeline/issues/711))
+
 ## [0.13.2] - 2023-07-18
 
 ### Fixed
diff --git a/build/package/Dockerfile.sonar b/build/package/Dockerfile.sonar
index 7ab8d108..aa3c4191 100644
--- a/build/package/Dockerfile.sonar
+++ b/build/package/Dockerfile.sonar
@@ -4,8 +4,8 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 USER root
 WORKDIR /usr/src/app
 
-ENV SONAR_SCANNER_VERSION=4.6.2.2472 \
-    CNES_REPORT_VERSION=4.0.0
+ENV SONAR_SCANNER_VERSION=4.8.0.2856 \
+    CNES_REPORT_VERSION=4.2.0
 
 # Build Go binary.
 COPY go.mod .
@@ -36,7 +36,8 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
 ENV SONAR_EDITION="community" \
     JAVA_HOME=/usr/lib/jvm/jre-11
 
-RUN microdnf install --nodocs java-11-openjdk-headless which && microdnf clean all
+RUN microdnf install --nodocs java-11-openjdk-headless tzdata-java which && microdnf clean all
+# tzdata-java was missing unless explicitly installed: see https://stackoverflow.com/a/76848186
 
 COPY --from=builder /usr/local/bin/sonar /usr/local/bin/sonar
 COPY --from=builder /usr/local/sonar-scanner-cli /usr/local/sonar-scanner-cli
diff --git a/docs/design/software-design-specification.adoc b/docs/design/software-design-specification.adoc
index 1cee287f..a932a8d6 100644
--- a/docs/design/software-design-specification.adoc
+++ b/docs/design/software-design-specification.adoc
@@ -557,13 +557,13 @@ a| The script installs the Helm chart located in `deploy/ods-pipeline`. Further,
 
 | SDS-EXT-7
 | sonar-scanner
-| 4.6
+| 4.8
 | General purpose SonarQube scanner
 | https://github.com/SonarSource/sonar-scanner-cli
 
 | SDS-EXT-8
 | cnes-report
-| 4.0
+| 4.2
 | Exports code analysis from a SonarQube server in various file formats.
 | https://github.com/cnescatlab/sonar-cnes-report
 
diff --git a/scripts/run-sonarqube.sh b/scripts/run-sonarqube.sh
index b919d741..442cbf6c 100755
--- a/scripts/run-sonarqube.sh
+++ b/scripts/run-sonarqube.sh
@@ -38,7 +38,7 @@ if [ "$(uname -m)" = "arm64" ]; then
         rm -rf docker-sonarqube || true
         git clone https://github.com/SonarSource/docker-sonarqube
         cd docker-sonarqube
-        git checkout refs/tags/9.7.0 # Last available Git tag
+        git checkout refs/tags/9.9.1 # Last available Git tag
         cd 9/community
         docker build -t sonarqube-arm:${SONAR_IMAGE_TAG} .
         cd "${SCRIPT_DIR}"/sonarqube
diff --git a/scripts/sonarqube/Dockerfile b/scripts/sonarqube/Dockerfile
index 8e1dee85..0d8540fc 100644
--- a/scripts/sonarqube/Dockerfile
+++ b/scripts/sonarqube/Dockerfile
@@ -1,6 +1,11 @@
 ARG from=""
 FROM $from
 
+USER root
+ENV SQ_CONF_DIR="/opt/sonarqube/conf"
+RUN chmod -R ugo+wrX "${SQ_CONF_DIR}"
+
+USER sonarqube
 RUN echo "sonar.forceAuthentication=true" >> conf/sonar.properties
 
 # Uncomment the following line to see debug output, e.g. in case SonarQube is