From ca403e68d19526e18a07b3caf5a3a45ff7bc5deb Mon Sep 17 00:00:00 2001
From: sneak <sneak@sneak.berlin>
Date: Sun, 22 Feb 2026 14:55:55 +0100
Subject: [PATCH] Pin Dockerfile base images to SHA256 digests

Mutable tags on Docker Hub enable RCE during builds.
Pin to exact digests with version/date comments for auditability.
---
 Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 55c66a5..2083384 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,13 @@
-FROM node:22-alpine AS build
+# node:22-alpine as of 2026-02-22
+FROM node@sha256:e4bf2a82ad0a4037d28035ae71529873c069b13eb0455466ae0bc13363826e34 AS build
 WORKDIR /app
 COPY package.json yarn.lock ./
 RUN yarn install --frozen-lockfile
 COPY . .
 RUN yarn build
 
-FROM nginx:stable-alpine
+# nginx:stable-alpine as of 2026-02-22
+FROM nginx@sha256:15e96e59aa3b0aada3a121296e3bce117721f42d88f5f64217ef4b18f458c6ab
 # Remove default config
 RUN rm /etc/nginx/conf.d/default.conf
 # Custom nginx config: real_ip from RFC1918, access_log to stdout