diff --git a/service/biboumi/Containerfile b/service/biboumi/Containerfile
index afcc0cc..1c786eb 100644
--- a/service/biboumi/Containerfile
+++ b/service/biboumi/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=repology depName=debian_12/dovecot versioning=loose
 ARG VERSION=9.0
 
diff --git a/service/coturn/Containerfile b/service/coturn/Containerfile
index af340bc..2d89c42 100644
--- a/service/coturn/Containerfile
+++ b/service/coturn/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=repology depName=debian_12/dovecot versioning=loose
 ARG VERSION=4.6.1
 
diff --git a/service/dovecot/Containerfile b/service/dovecot/Containerfile
index d792539..2db3192 100644
--- a/service/dovecot/Containerfile
+++ b/service/dovecot/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=repology depName=debian_12/dovecot versioning=loose
 ARG VERSION=2.3.19
 
diff --git a/service/gitea/Containerfile b/service/gitea/Containerfile
index da3d6d7..8c8c590 100644
--- a/service/gitea/Containerfile
+++ b/service/gitea/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=go-gitea/gitea
 ARG VERSION=1.21.2
 
diff --git a/service/gotosocial/Containerfile b/service/gotosocial/Containerfile
index 97dd01f..50b3d02 100644
--- a/service/gotosocial/Containerfile
+++ b/service/gotosocial/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=superseriousbusiness/gotosocial
 ARG VERSION=0.13.0
 
diff --git a/service/grafana/Containerfile b/service/grafana/Containerfile
index 9703244..d577fb9 100644
--- a/service/grafana/Containerfile
+++ b/service/grafana/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=grafana/grafana
 ARG VERSION=10.2.1
 
diff --git a/service/hugo/Containerfile b/service/hugo/Containerfile
index 259258d..19ca8c3 100644
--- a/service/hugo/Containerfile
+++ b/service/hugo/Containerfile
@@ -1,11 +1,11 @@
-FROM docker.io/golang:1.21-bookworm AS builder
+FROM docker.io/golang:1.21-bookworm@sha256:09ee26d3c9d6dd46913ba36e68b9041976010c2225f29759e6234909b17fe8bc AS builder
 
 WORKDIR /build
 ENV GOBIN=/build/bin
 
 RUN go install github.com/adnanh/webhook@latest
 
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=gohugoio/hugo
 ARG VERSION=0.119.0
 
diff --git a/service/letsencrypt/Containerfile b/service/letsencrypt/Containerfile
index 7793de6..be064de 100644
--- a/service/letsencrypt/Containerfile
+++ b/service/letsencrypt/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/goacme/lego:v4.13.3
+FROM docker.io/goacme/lego:v4.13.3@sha256:ca1ffb4f730535425e2333d668ebbb377acfb9ab665b5e3b15c957412545f9f6
 
 RUN addgroup --system --gid 10000 letsencrypt
 RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
diff --git a/service/lldap/Containerfile b/service/lldap/Containerfile
index d566f6b..be0eeb9 100644
--- a/service/lldap/Containerfile
+++ b/service/lldap/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/rust:1.73 AS builder
+FROM docker.io/rust:1.73@sha256:25fa7a9aa4dadf6a466373822009b5361685604dbe151b030182301f1a3c2f58 AS builder
 # renovate: datasource=github-releases depName=lldap/lldap
 ARG VERSION=v0.5.0
 
@@ -17,7 +17,7 @@ RUN /lldap/app/build.sh && cd /lldap/app/static && \
     for file in $(cat libraries.txt); do wget "$file"; done && \
     for file in $(cat fonts/fonts.txt); do wget -P fonts "$file"; done
 
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 
 RUN apt-get update -y && apt-get install -y --no-install-recommends \
     gettext gosu
diff --git a/service/mariadb/Containerfile b/service/mariadb/Containerfile
index 854ed95..0b3d700 100644
--- a/service/mariadb/Containerfile
+++ b/service/mariadb/Containerfile
@@ -1,2 +1,2 @@
-FROM docker.io/mariadb:10.7
+FROM docker.io/mariadb:10.7@sha256:9a48ac9f196f3d4fd6fea2cab59a49df9e7ca459bf14b2f7b85a0e38a5454571
 USER mysql
diff --git a/service/navidrome/Containerfile b/service/navidrome/Containerfile
index 28e5762..0d78ab1 100644
--- a/service/navidrome/Containerfile
+++ b/service/navidrome/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=navidrome/navidrome
 ARG VERSION=0.50.2
 
diff --git a/service/nginx/Containerfile b/service/nginx/Containerfile
index bfbbc79..3e87c87 100644
--- a/service/nginx/Containerfile
+++ b/service/nginx/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 ARG VERSION=1.25
 
 RUN apt-get update -y && apt-get install -y --no-install-recommends ca-certificates
diff --git a/service/postfix/Containerfile b/service/postfix/Containerfile
index bb6390e..e71d936 100644
--- a/service/postfix/Containerfile
+++ b/service/postfix/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=repology depName=debian_12/postfix versioning=loose
 ARG VERSION=3.7.6
 
diff --git a/service/prometheus/Containerfile b/service/prometheus/Containerfile
index 50721a3..f8b942e 100644
--- a/service/prometheus/Containerfile
+++ b/service/prometheus/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/golang:1.21-bookworm AS podman-exporter-builder
+FROM docker.io/golang:1.21-bookworm@sha256:09ee26d3c9d6dd46913ba36e68b9041976010c2225f29759e6234909b17fe8bc AS podman-exporter-builder
 
 RUN apt-get update -y && apt-get upgrade -y && \
     apt-get install -y --no-install-recommends libgpgme-dev libbtrfs-dev libdevmapper-dev libassuan-dev pkg-config
@@ -8,7 +8,7 @@ ARG PODMAN_EXPORTER_VERSION=v1.6.0
 RUN git clone --branch ${PODMAN_EXPORTER_VERSION} --depth 1 https://github.com/containers/prometheus-podman-exporter.git /src && \
     cd /src && make binary
 
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=prometheus/prometheus
 ARG VERSION=2.48.0
 
diff --git a/service/prosody/Containerfile b/service/prosody/Containerfile
index 4e5e48b..ff95903 100644
--- a/service/prosody/Containerfile
+++ b/service/prosody/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-tags depName=bjc/prosody
 ARG VERSION=0.12.4
 ARG MODULES_VERSION=ef3aa6901a93
diff --git a/service/radicale/Containerfile b/service/radicale/Containerfile
index 2850d33..7f7def3 100644
--- a/service/radicale/Containerfile
+++ b/service/radicale/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=pipy depName=radicale
 ARG VERSION=3.1.8
 
diff --git a/service/rclone/Containerfile b/service/rclone/Containerfile
index 81a0853..0aeb4ac 100644
--- a/service/rclone/Containerfile
+++ b/service/rclone/Containerfile
@@ -1 +1 @@
-FROM docker.io/rclone/rclone:1.64.0
+FROM docker.io/rclone/rclone:1.64.0@sha256:696c31597e05c443de736f42e11914bb8327dcbb4f3c24efe1dc0d596f9b841f
diff --git a/service/redis/Containerfile b/service/redis/Containerfile
index c5cb3c5..637b3a1 100644
--- a/service/redis/Containerfile
+++ b/service/redis/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=redis/redis
 ARG VERSION=7.2
 
diff --git a/service/rspamd/Containerfile b/service/rspamd/Containerfile
index 1d4b8dc..6f0f093 100644
--- a/service/rspamd/Containerfile
+++ b/service/rspamd/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 # renovate: datasource=github-releases depName=rspamd/rspamd
 ARG VERSION=3.7.5
 
diff --git a/service/rss2email/Containerfile b/service/rss2email/Containerfile
index 9ef3289..350540e 100644
--- a/service/rss2email/Containerfile
+++ b/service/rss2email/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bullseye-slim
+FROM docker.io/debian:bullseye-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5
 # renovate: datasource=github-tags depName=rss2email/rss2email
 ARG VERSION=v3.14
 
diff --git a/service/slidge/Containerfile b/service/slidge/Containerfile
index 6c91de3..4388fec 100644
--- a/service/slidge/Containerfile
+++ b/service/slidge/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/debian:bookworm-slim AS builder-base
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340 AS builder-base
 
 RUN apt-get update -y && apt-get install -y --no-install-recommends \
     ca-certificates git curl python3 python3-pip python3-venv
@@ -53,7 +53,7 @@ RUN cd /src && poetry export --without-hashes > requirements.txt && \
 RUN cd /src/slidge_whatsapp && gopy build -vm=python3 -output=generated -no-make=true .
 RUN cp -R /src/slidge_whatsapp /venv/lib/python3.11/site-packages/legacy_module
 
-FROM docker.io/debian:bookworm-slim
+FROM docker.io/debian:bookworm-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340
 ENV PYTHONUNBUFFERED=1
 ENV SLIDGE_LEGACY_MODULE=legacy_module