diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index f8e555c..c92d831 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: https://dock-it.dev/actions/checkout@v4
+        uses: https://dock-it.dev/actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
diff --git a/.gitea/workflows/verify.yml b/.gitea/workflows/verify.yml
index 7e62001..0181bb7 100644
--- a/.gitea/workflows/verify.yml
+++ b/.gitea/workflows/verify.yml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: https://dock-it.dev/actions/checkout@v4
+        uses: https://dock-it.dev/actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: https://dock-it.dev/actions/setup-go@v5
+        uses: https://dock-it.dev/actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: go.mod
           cache: true
diff --git a/Dockerfile b/Dockerfile
index 1b8a48c..081028c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,7 +11,7 @@ COPY web ./web
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags="-s -w" -o /out/maintainarr ./cmd/maintainarr
 
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:96e378d7e6531ac9a15ad505478fcc2e69f371b10f5cdf87857c4b8188404716
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends ca-certificates tzdata \