diff --git a/docker/relay.Dockerfile b/docker/relay.Dockerfile
index c23932a3..c3996940 100644
--- a/docker/relay.Dockerfile
+++ b/docker/relay.Dockerfile
@@ -1,9 +1,11 @@
-FROM rust:latest AS builder
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder
 WORKDIR /build
 COPY . .
 RUN cargo build --release -p willow-relay
 
-FROM rust:slim
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36
 RUN useradd -r -u 10001 -m -d /home/willow willow \
     && mkdir -p /etc/willow /shared \
     && chown -R willow:willow /etc/willow /shared
diff --git a/docker/replay.Dockerfile b/docker/replay.Dockerfile
index bb2c628d..74ed8485 100644
--- a/docker/replay.Dockerfile
+++ b/docker/replay.Dockerfile
@@ -1,9 +1,11 @@
-FROM rust:latest AS builder
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder
 WORKDIR /build
 COPY . .
 RUN cargo build --release -p willow-replay
 
-FROM rust:slim
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36
 RUN useradd -r -u 10001 -m -d /home/willow willow \
     && mkdir -p /etc/willow \
     && chown -R willow:willow /etc/willow
diff --git a/docker/storage.Dockerfile b/docker/storage.Dockerfile
index cc6f8c03..660cc53b 100644
--- a/docker/storage.Dockerfile
+++ b/docker/storage.Dockerfile
@@ -1,9 +1,11 @@
-FROM rust:latest AS builder
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder
 WORKDIR /build
 COPY . .
 RUN cargo build --release -p willow-storage
 
-FROM rust:slim
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36
 RUN useradd -r -u 10001 -m -d /home/willow willow \
     && mkdir -p /etc/willow /var/lib/willow \
     && chown -R willow:willow /etc/willow /var/lib/willow
diff --git a/docker/web.Dockerfile b/docker/web.Dockerfile
index 8fe1677c..fa9c3c15 100644
--- a/docker/web.Dockerfile
+++ b/docker/web.Dockerfile
@@ -1,11 +1,13 @@
-FROM rust:latest AS builder
+# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm`
+FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder
 RUN rustup target add wasm32-unknown-unknown
 RUN cargo install trunk
 WORKDIR /build
 COPY . .
 RUN cd crates/web && trunk build --release
 
-FROM nginxinc/nginx-unprivileged:alpine
+# nginxinc/nginx-unprivileged:1.27-alpine pinned 2026-04-28; bump via `docker buildx imagetools inspect nginxinc/nginx-unprivileged:1.27-alpine`
+FROM nginxinc/nginx-unprivileged:1.27-alpine@sha256:65e3e85dbaed8ba248841d9d58a899b6197106c23cb0ff1a132b7bfe0547e4c0
 COPY --from=builder --chown=nginx:nginx /build/crates/web/dist/ /usr/share/nginx/html/
 RUN chmod 644 /usr/share/nginx/html/*