diff --git a/Dockerfile b/Dockerfile
index 26d3e17..97f6519 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,6 @@
 # Build stage
-FROM golang:1.24-alpine AS builder
+# golang:1.24-alpine, 2026-02-25
+FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 
 ARG VERSION=dev
 
@@ -8,7 +9,15 @@ RUN apk add --no-cache \
     build-base \
     vips-dev \
     libheif-dev \
-    pkgconfig
+    pkgconfig \
+    curl
+
+# golangci-lint v2.10.1, 2026-02-25
+RUN curl -sSfL https://github.com/golangci/golangci-lint/releases/download/v2.10.1/golangci-lint-2.10.1-linux-amd64.tar.gz -o /tmp/golangci-lint.tar.gz && \
+    echo "dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99  /tmp/golangci-lint.tar.gz" | sha256sum -c - && \
+    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp && \
+    mv /tmp/golangci-lint-2.10.1-linux-amd64/golangci-lint /usr/local/bin/ && \
+    rm -rf /tmp/golangci-lint*
 
 WORKDIR /src
 
@@ -19,11 +28,15 @@ RUN GOTOOLCHAIN=auto go mod download
 # Copy source code
 COPY . .
 
+# Run all checks (fmt-check, lint, test)
+RUN make check
+
 # Build with CGO enabled
 RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad
 
 # Runtime stage
-FROM alpine:3.21
+# alpine:3.21, 2026-02-25
+FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 
 # Install runtime dependencies only
 RUN apk add --no-cache \