diff --git a/.github/workflows/dependabot_automerge.yml b/.github/workflows/dependabot_automerge.yml
index 76663cb923..fbfb121e03 100644
--- a/.github/workflows/dependabot_automerge.yml
+++ b/.github/workflows/dependabot_automerge.yml
@@ -12,7 +12,7 @@ jobs:
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Wait for check is finished
-        uses: lewagon/wait-on-check-action@v1.3.1
+        uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812 # v1.3.1
         id: wait_for_checks
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.6.0
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
         with:
           github-token: "${{ secrets.PR_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/gobuild.yml b/.github/workflows/gobuild.yml
index b4e645634f..5ea3357c4f 100644
--- a/.github/workflows/gobuild.yml
+++ b/.github/workflows/gobuild.yml
@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Fetch Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0 # Fetch all history so diffs can be performed
 
diff --git a/aws-sam-container/app/Dockerfile b/aws-sam-container/app/Dockerfile
index 8c970ed85a..ce0c77a80c 100644
--- a/aws-sam-container/app/Dockerfile
+++ b/aws-sam-container/app/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20 as build-env
+FROM golang:1.20@sha256:c58c636721d1e30938f783f9daf1093a9939256f23f895f6b71b36580d0e46f9 as build-env
 
 WORKDIR /go/src/app
 
@@ -6,9 +6,9 @@ COPY . .
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w" -o /go/bin/app
 
-FROM gcr.io/distroless/static-debian11:latest
+FROM gcr.io/distroless/static-debian11:latest@sha256:9be3fcc6abeaf985b5ecce59451acbcbb15e7be39472320c538d0d55a0834edc
 
-COPY --from=public.ecr.aws/awsguru/aws-lambda-adapter:0.7.0 /lambda-adapter /opt/extensions/lambda-adapter
+COPY --from=public.ecr.aws/awsguru/aws-lambda-adapter:0.7.0@sha256:c82920b82cd7fc20febf8bd608e907610bb32015edaf0fd6c065138d17125c12 /lambda-adapter /opt/extensions/lambda-adapter
 COPY --from=build-env /go/bin/app /
 
 ENV PORT=3000
diff --git a/cloud-run/Dockerfile b/cloud-run/Dockerfile
index cbc8fd36d7..2ae78e687e 100644
--- a/cloud-run/Dockerfile
+++ b/cloud-run/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang as build-go
+FROM golang@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e80504e0a9615f2 as build-go
 WORKDIR /cloud-run-example
 COPY go.mod .
 COPY go.sum .
@@ -6,7 +6,7 @@ RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /bin/cloud-run-example .
 
-FROM alpine:latest
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 RUN addgroup -S cloud-run-example && adduser -S cloud-run-example -G cloud-run-example
 USER cloud-run-example
 WORKDIR /home/cloud-run-example
diff --git a/fiber-envoy-extauthz/app/Dockerfile b/fiber-envoy-extauthz/app/Dockerfile
index c70fca1c00..9405d4b1d3 100644
--- a/fiber-envoy-extauthz/app/Dockerfile
+++ b/fiber-envoy-extauthz/app/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine AS builder
+FROM golang:alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder
 WORKDIR /bin
 COPY go.mod .
 COPY go.sum .
@@ -6,7 +6,7 @@ RUN go mod download
 COPY main.go .
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o app main.go
 
-FROM alpine:latest AS final
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 AS final
 WORKDIR /
 COPY --from=builder /bin/app ./
 EXPOSE 3000
diff --git a/fiber-envoy-extauthz/authz/Dockerfile b/fiber-envoy-extauthz/authz/Dockerfile
index d1c3587e89..01ce279a79 100644
--- a/fiber-envoy-extauthz/authz/Dockerfile
+++ b/fiber-envoy-extauthz/authz/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine AS builder
+FROM golang:alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder
 WORKDIR /bin
 COPY go.mod .
 COPY go.sum .
@@ -6,7 +6,7 @@ RUN go mod download
 COPY main.go .
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o app main.go
 
-FROM alpine:latest AS final
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 AS final
 WORKDIR /
 COPY --from=builder /bin/app ./
 EXPOSE 1337
diff --git a/gcloud-firebase/Dockerfile b/gcloud-firebase/Dockerfile
index 4bbff01168..6af0a88fd7 100644
--- a/gcloud-firebase/Dockerfile
+++ b/gcloud-firebase/Dockerfile
@@ -14,7 +14,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -v -o app cmd/main.go
 
 # Use a Docker multi-stage build to create a lean production image.
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
-FROM alpine
+FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 RUN apk add --no-cache ca-certificates
 
 # Copy the binary to the production image from the builder stage.
diff --git a/gcloud/Dockerfile b/gcloud/Dockerfile
index 4bbff01168..6af0a88fd7 100644
--- a/gcloud/Dockerfile
+++ b/gcloud/Dockerfile
@@ -14,7 +14,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -v -o app cmd/main.go
 
 # Use a Docker multi-stage build to create a lean production image.
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
-FROM alpine
+FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 RUN apk add --no-cache ca-certificates
 
 # Copy the binary to the production image from the builder stage.
diff --git a/k8s/Dockerfile b/k8s/Dockerfile
index a00d082242..dff8e3e1ff 100644
--- a/k8s/Dockerfile
+++ b/k8s/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang AS builder
+FROM golang@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e80504e0a9615f2 AS builder
 WORKDIR /k8s-example
 COPY go.mod .
 COPY go.sum .
@@ -6,7 +6,7 @@ RUN go mod download
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /bin/k8s-example .
 
-FROM alpine:latest
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 RUN apk --no-cache add ca-certificates
 RUN addgroup -S k8s-example && adduser -S k8s-example -G k8s-example
 USER k8s-example
diff --git a/react-router/Dockerfile b/react-router/Dockerfile
index 5e2e002717..22b7b19427 100644
--- a/react-router/Dockerfile
+++ b/react-router/Dockerfile
@@ -34,7 +34,7 @@ COPY ./web .
 RUN yarn build
 
 # Last stage: discard everything except our executables.
-FROM alpine:latest AS prod
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 AS prod
 
 # Set our next working directory.
 WORKDIR /build
diff --git a/todo-app-with-auth-gorm/Dockerfile b/todo-app-with-auth-gorm/Dockerfile
index 8b93530166..64c19c961d 100644
--- a/todo-app-with-auth-gorm/Dockerfile
+++ b/todo-app-with-auth-gorm/Dockerfile
@@ -1,12 +1,12 @@
 
 #build stage
-FROM golang:alpine AS builder
+FROM golang:alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder
 WORKDIR /go/src/app
 COPY . .
 RUN go get -d -v . && go build -ldflags="-s -w" main.go
 
 #final stage
-FROM alpine:latest
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 LABEL maintainer=numtostr version=0.0.1
 COPY --from=builder /go/src/app/main /main
 EXPOSE 4000
diff --git a/url-shortener-api/api/Dockerfile b/url-shortener-api/api/Dockerfile
index f6d0c65f87..90e0012eab 100644
--- a/url-shortener-api/api/Dockerfile
+++ b/url-shortener-api/api/Dockerfile
@@ -1,6 +1,6 @@
 # multistage docker build. This redices the size of the final docker image.
 # stage 1 to build the app
-FROM golang:alpine as builder
+FROM golang:alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 as builder
 
 RUN mkdir /build 
 
@@ -11,7 +11,7 @@ WORKDIR /build
 RUN go build -o main .
 
 # stage 2 deploys the app built in stage 1
-FROM alpine
+FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 
 RUN adduser -S -D -H -h /app appuser
 
diff --git a/url-shortener-api/db/Dockerfile b/url-shortener-api/db/Dockerfile
index a58a3e8907..8105214029 100644
--- a/url-shortener-api/db/Dockerfile
+++ b/url-shortener-api/db/Dockerfile
@@ -1,3 +1,3 @@
-FROM redis:alpine
+FROM redis:alpine@sha256:995e6eaab954e92cadf1a0bb1eab71ae3baae8e02ea4354fd8aa136a61e42247
 
 EXPOSE 6379
\ No newline at end of file