diff --git a/compose.yaml b/compose.yaml
index 4fe50ab..d19606f 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,7 +1,8 @@
 ---
 services:
   db:
-    image: postgres:18-alpine
+    # yamllint disable-line rule:line-length
+    image: postgres:18-alpine@sha256:54451ecb8ab38c24c3ec123f2fd501303a3a1856a5c66e98cecf2460d5e1e9d7
     environment:
       - POSTGRES_PASSWORD=postgres
     volumes:
diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile
index 9372f2d..c679a1b 100644
--- a/docker/app/Dockerfile
+++ b/docker/app/Dockerfile
@@ -1,7 +1,7 @@
 ARG PROJECT_NAME="{{ project_name }}"
 
 # STAGE 1: BUILD NODE
-FROM node:25.9-alpine AS build-node
+FROM node:25.9-alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS build-node
 ARG PROJECT_NAME
 
 WORKDIR /app
@@ -18,10 +18,10 @@ RUN --mount=type=bind,source=package.json,target=package.json \
 
 
 # STAGE 2: BUILD PYTHON
-FROM python:3.14 AS build-python
+FROM python:3.14@sha256:0ba001803c72c128063cfa88863755f905cefabe73c026c66a5a86d8f1d63e98 AS build-python
 WORKDIR /app
 
-COPY --from=ghcr.io/astral-sh/uv:0.11.2 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.11.2@sha256:c4f5de312ee66d46810635ffc5df34a1973ba753e7241ce3a08ef979ddd7bea5 /uv /uvx /bin/
 ENV PYTHONPYCACHEPREFIX=/tmp/pycache
 ENV PYTHONUNBUFFERED=1
 ENV UV_COMPILE_BYTECODE=1
diff --git a/docker/prettier/Dockerfile b/docker/prettier/Dockerfile
index 9df7dbd..f490ed1 100644
--- a/docker/prettier/Dockerfile
+++ b/docker/prettier/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:25.9-alpine AS ui
+FROM node:25.9-alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS ui
 
 WORKDIR /root
 RUN --mount=type=bind,source=docker/prettier/package.json,target=package.json \