opendefensecloud · BergCyrill · May 12, 2026 · May 12, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.26.3 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:2981696eed011d747340d7252620932677929cce7d2d539602f56a8d7e9b660b AS builder
 
 WORKDIR /workspace
 RUN go env -w GOMODCACHE=/root/.cache/go-build
@@ -25,20 +25,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg \
     CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-s -w" -o bin/dependency-webhook ./cmd/webhook/
 
-FROM gcr.io/distroless/static:nonroot AS controller
+FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39 AS controller
 WORKDIR /
 COPY --from=controller-builder /workspace/bin/dependency-controller .
 USER 65532:65532
 ENTRYPOINT ["/dependency-controller"]
 
-FROM gcr.io/distroless/static:nonroot AS webhook
+FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39 AS webhook
 WORKDIR /
 COPY --from=webhook-builder /workspace/bin/dependency-webhook .
 USER 65532:65532
 ENTRYPOINT ["/dependency-webhook"]
 
 # Combined image with both binaries (used by e2e tests and single-image deployments).
-FROM gcr.io/distroless/static:nonroot
+FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
 WORKDIR /
 COPY --from=controller-builder /workspace/bin/dependency-controller .
 COPY --from=webhook-builder /workspace/bin/dependency-webhook .

diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended", "helpers:pinGitHubActionDigests"],
+  "extends": ["config:recommended", "helpers:pinGitHubActionDigests", "docker:pinDigests"],
   "minimumReleaseAge": "1 day",
   "osvVulnerabilityAlerts": true,
   "vulnerabilityAlerts": {