diff --git a/git-commit b/git-commit
index cc62da00bd18417304fa0f2acf0a06ea5a4799e7..a3297ca089f1f9f009fb5a034ba468ea3abc6b35 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-efce815f50e77075d10070d724aeec93660630a7
+3cd040ca87658befd016fb613b3e9e8ad6a528a6
diff --git a/patch/0133-runc-add-CGO-sercuity-build-options.patch b/patch/0133-runc-add-CGO-sercuity-build-options.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d65ae2ada6a64bf373d4b8a2f7b8ff78556acf35
--- /dev/null
+++ b/patch/0133-runc-add-CGO-sercuity-build-options.patch
@@ -0,0 +1,27 @@
+From 70ec40e866f056f071e3df73e8f82608c9c1b741 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 22 Sep 2022 09:31:43 +0800
+Subject: [PATCH] runc: add CGO sercuity build options
+
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 94cf3f8..2f6bb17 100644
+--- a/Makefile
++++ b/Makefile
+@@ -45,8 +45,8 @@ LD_FLAGS='-w -buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=
+ static: $(SOURCES)
+ 	rm -rf /tmp/bep-runc && mkdir /tmp/bep-runc
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build -buildmode=pie -tags "$(BUILDTAGS) cgo static_build" -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
+-- 
+2.30.0
+
diff --git a/runc-openeuler.spec b/runc-openeuler.spec
index 5325fd096038b124e76dc36415d11065bc0e064d..a38d45a1b4b099fea46a1bcc48c164ddd778c249 100644
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@@ -4,7 +4,7 @@
 
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 303
+Release: 304
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 
 License: ASL 2.0
@@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 
 %changelog
+* Thu Sep 22 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-304
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add CGO security build option
+
 * Tue Aug 16 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-303
 - Type:bugfix
 - CVE:NA
diff --git a/series.conf b/series.conf
index de96a2b9480f31cf9eaa8b4547f68dc86fe6d8c6..bbc44b02d0d5f4eafbce5c0cbdb7506cb29365e3 100644
--- a/series.conf
+++ b/series.conf
@@ -131,4 +131,5 @@ patch/0130-runc-fix-cgroup-info-print-error.patch
 patch/0128-runc-fix-CVE-2022-29162.patch
 patch/0131-runc-change-Umask-to-0022.patch
 patch/0132-runc-fix-systemd-cgroup-after-memory-type-changed.patch
+patch/0133-runc-add-CGO-sercuity-build-options.patch
 #end