diff --git a/website/docs/pipelines/img/pipeline-priviledge-escalation-blocked.png b/website/docs/pipelines/img/pipeline-priviledge-escalation-blocked.png
deleted file mode 100644
index ce0595673e9..00000000000
Binary files a/website/docs/pipelines/img/pipeline-priviledge-escalation-blocked.png and /dev/null differ
diff --git a/website/docs/pipelines/img/pipeline-security-violations.png b/website/docs/pipelines/img/pipeline-security-violations.png
new file mode 100644
index 00000000000..e2f1cef6700
Binary files /dev/null and b/website/docs/pipelines/img/pipeline-security-violations.png differ
diff --git a/website/docs/pipelines/promoting-applications.mdx b/website/docs/pipelines/promoting-applications.mdx
index 73ef6daeffb..9146788f6c2 100644
--- a/website/docs/pipelines/promoting-applications.mdx
+++ b/website/docs/pipelines/promoting-applications.mdx
@@ -272,6 +272,9 @@ spec:
       required: true
       value: podinfo
 ```
+
+An instance of this policy should be part of the resources when onboarding a new pipeline.
+
 The following set of policies harden your security context:
 
 ```yaml
@@ -325,13 +328,14 @@ subjects:
     namespace: flux-system
 ```
 
-#### Verify Environment Security Context
+#### Verify Security Context
+
+Use [pipeline-promotions-security](https://github.com/weaveworks/weave-gitops-quickstart/tree/pipelines-promotions-security/pipelines-promotions-security)
+to verify that your environments meets the security context described earlier.
 
-Using https://github.com/weaveworks/weave-gitops-quickstart you could deploy the resources within
-`pipeline-promotions-security` to verify that your environments meets the security context described earlier.
 Once deployed you could see how the different resources are being rejected. See those rejections via Violations UI:
 
-![privilege escalation blocked](img/pipeline-priviledge-escalation-blocked.png)
+![privilege escalation blocked](img/pipeline-security-violations.png)
 
 In addition, verify that Pipeline Controller could just read the secret by the following tests:
 
@@ -346,7 +350,7 @@ Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount
 Get access is allowed:
 
 ```bash
-kubectl get secret -n podinfo  --as=system:serviceaccount:flux-system:chart-pipeline-controller app-promotion-credentials                                                        <aws:sts>
+kubectl get secret -n podinfo  --as=system:serviceaccount:flux-system:chart-pipeline-controller app-promotion-credentials
 
 NAME                        TYPE     DATA   AGE
 app-promotion-credentials   Opaque   1      21m