diff --git a/Dockerfile b/Dockerfile
index 92696eae..643ad7e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1@sha256:fe40cf4e92cd0c467be2cfc30657a680ae2398318afd50b0c80585784c604f28
 ARG PYVER=3.11.9
 ARG ALPTAG=3.20@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
-FROM python:${PYVER}-alpine${ALPTAG} as builder
+FROM python:latest@sha256:fcad5ffb670a9f1edc5cc232b2b321e617aaaae1a22c54242964178e408e0057:${PYVER}-alpine${ALPTAG} as builder
 
 # Add the community repo for access to patchelf binary package
 ARG ALPTAG
@@ -32,7 +32,7 @@ RUN python3 post4docker.py
 
 ### Copy frozen binary to the container that will actually be published
 ARG ALPTAG
-FROM alpine:${ALPTAG}
+FROM alpine:latest@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d:${ALPTAG}
 RUN apk --no-cache upgrade && apk --no-cache add openssl-dev expat
 # The path `curator_build` is from `builder` and `post4docker.py`
 COPY --from=builder curator_build /curator/
diff --git a/docker_test/scripts/Dockerfile.tmpl b/docker_test/scripts/Dockerfile.tmpl
index 7675629a..59ab028b 100755
--- a/docker_test/scripts/Dockerfile.tmpl
+++ b/docker_test/scripts/Dockerfile.tmpl
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:experimental
+# syntax=docker/dockerfile:experimental@sha256:600e5c62eedff338b3f7a0850beb7c05866e0ef27b2d2e8c02aa468e78496ff5
 ARG VERSION=ES_VERSION
 FROM elasticsearch:${VERSION}