diff --git a/Dockerfile b/Dockerfile
index 799774e..3fd11ee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.1.6
-FROM golangci/golangci-lint:v2.1.6 AS lint
+# golangci/golangci-lint v2.1.6 (2026-03-10)
+FROM golangci/golangci-lint:v2.1.6@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
 
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -12,7 +12,8 @@ RUN make fmt-check
 RUN make lint
 
 # Build stage — tests and compilation
-FROM golang:1.24-alpine AS builder
+# golang 1.24.13-alpine (2026-03-10)
+FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
 
 # Force BuildKit to run the lint stage
 COPY --from=lint /src/go.sum /dev/null
@@ -29,7 +30,8 @@ RUN make test
 RUN CGO_ENABLED=1 go build -v -ldflags "-X 'git.eeqj.de/sneak/secret/internal/cli.Version=0.1.0' -X 'git.eeqj.de/sneak/secret/internal/cli.GitCommit=$(git rev-parse HEAD)'" -o secret cmd/secret/main.go
 
 # Runtime stage
-FROM alpine:latest
+# alpine 3.23 (2026-03-10)
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 
 RUN apk add --no-cache ca-certificates gnupg