diff --git a/stacks/flow.Dockerfile b/stacks/flow.Dockerfile
index de9dbb0d5e..0f997777e9 100644
--- a/stacks/flow.Dockerfile
+++ b/stacks/flow.Dockerfile
@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1.2
+# syntax=docker/dockerfile:1.11@sha256:10c699f1b6c8bdc8f6b4ce8974855dd8542f1768c26eb240237b8f1c9c6c9976
 
-FROM golang:1.23-alpine AS builder
+FROM golang:1.23-alpine@sha256:9f68de83bef9e75cda99597d51778f4f5776ab8d9374e1094a3cd724401094c3 AS builder
 RUN apk add --no-cache gcc geos-dev musl-dev
 WORKDIR /root/flow
 
@@ -18,7 +18,7 @@ WORKDIR /root/flow
 ENV CGO_ENABLED=1
 RUN go build -ldflags="-s -w" -o /root/peer-flow
 
-FROM alpine:3.20 AS flow-base
+FROM alpine:3.20@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a AS flow-base
 RUN apk add --no-cache ca-certificates geos && \
   adduser -s /bin/sh -D peerdb
 USER peerdb
diff --git a/stacks/peerdb-server.Dockerfile b/stacks/peerdb-server.Dockerfile
index e30dd8bfce..c4c5a2b041 100644
--- a/stacks/peerdb-server.Dockerfile
+++ b/stacks/peerdb-server.Dockerfile
@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
 
-FROM lukemathwalker/cargo-chef:latest-rust-alpine3.20 as chef
+FROM lukemathwalker/cargo-chef:latest-rust-alpine3.20@sha256:9ba204a79235804a3a2f41467b09e499daad8bd637c72449ba30ada4070526ff as chef
 WORKDIR /root
 
 FROM chef as planner
@@ -21,7 +21,7 @@ COPY protos /root/protos
 WORKDIR /root/nexus
 RUN cargo build --release --bin peerdb-server
 
-FROM alpine:3.20
+FROM alpine:3.20@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a
 RUN apk add --no-cache ca-certificates postgresql-client curl iputils && \
   adduser -s /bin/sh -D peerdb && \
   install -d -m 0755 -o peerdb /var/log/peerdb
diff --git a/stacks/peerdb-ui.Dockerfile b/stacks/peerdb-ui.Dockerfile
index 8f281273bf..cd99e61a5f 100644
--- a/stacks/peerdb-ui.Dockerfile
+++ b/stacks/peerdb-ui.Dockerfile
@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1.2
+# syntax=docker/dockerfile:1.11@sha256:10c699f1b6c8bdc8f6b4ce8974855dd8542f1768c26eb240237b8f1c9c6c9976
 
 # Base stage
-FROM node:22-alpine AS base
+FROM node:22-alpine@sha256:dc8ba2f61dd86c44e43eb25a7812ad03c5b1b224a19fc6f77e1eb9e5669f0b82 AS base
 ENV NPM_CONFIG_UPDATE_NOTIFIER=false
 RUN apk add --no-cache openssl && \
   mkdir /app && \