diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index d90a885..774da8f 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -18,15 +18,15 @@ jobs:
           apt update
           apt install -y docker-ce docker-ce-cli containerd.io
       - name: Checkout branch
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Login to Gitea
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: git.toast-server.net
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Build and push image
-        uses: docker/build-push-action@v5.1.0
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           file: Dockerfile
diff --git a/Dockerfile b/Dockerfile
index 2856c15..d6f1a83 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM rust:1.74-alpine3.18 AS compiler
+FROM rust:1.74-alpine3.18@sha256:e6e45a7d5d8b7acb2a2915a35c4b12868b6cc089da61f4fbbb719673f2fcd60c AS compiler
 ENV RUSTFLAGS="-C target-feature=-crt-static"
 RUN apk add --no-cache openssl-dev musl-dev 
 WORKDIR /usr/src/kon
 COPY . .
 RUN cargo fetch && cargo build -r
 
-FROM alpine:3.19
+FROM alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 RUN apk add --no-cache openssl-dev libgcc
 WORKDIR /kon
 COPY --from=compiler /usr/src/kon/target/release/kon .