diff --git a/.drone.yml b/.drone.yml
index d279f8f..89291db 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4,7 +4,7 @@ type: docker
 name: docker-push
 steps:
 - name: docker
-  image: plugins/docker
+  image: plugins/docker@sha256:4e482ef91fb2695d658a85c60772d7f75f931e0883e23ec0954f0bc17ccc0663
   settings:
     auto_tag: true
     dockerfile: Dockerfile
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37e3455..7a4198a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,12 +11,12 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
         with:
           persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: 1.24.2
       - name: Build
diff --git a/Dockerfile b/Dockerfile
index 0e46c3f..756186f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
-FROM golang:1.25.4 AS build
+FROM golang:1.25.4@sha256:e68f6a00e88586577fafa4d9cefad1349c2be70d21244321321c407474ff9bf2 AS build
 WORKDIR /src
 
 COPY . .
 RUN go mod download && \
     CGO_ENABLED=0 GOOS=linux go build -a -o app .
 
-FROM alpine:latest
+FROM alpine:latest@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412
 
 RUN addgroup -g 1000 app && \
     adduser -u 1000 -h /app -G app -S app