diff --git a/Dockerfile b/Dockerfile
index 5191fdf64df..a6e7a41f220 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,10 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.21@sha256:27f9262d43452075f3c410287a2c43f5ef1bf7ec2bb06e8c9eeb1b8d453087bc
 
 # NOTE: This Dockerfile can only be built using BuildKit. BuildKit is used by
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/alloy-build-image:v0.1.28 AS ui-build
+FROM --platform=$BUILDPLATFORM grafana/alloy-build-image:v0.1.28@sha256:982eb27dfc3111a3a81eb605d2e80d0c6c21a32842c2652b6390be6cd80da6fb AS ui-build
 ARG BUILDPLATFORM
 COPY ./internal/web/ui /ui
 WORKDIR /ui
@@ -12,7 +12,7 @@ RUN --mount=type=cache,target=/ui/node_modules,sharing=locked \
     npm install                                               \
     && npm run build
 
-FROM --platform=$BUILDPLATFORM grafana/alloy-build-image:v0.1.28 AS build
+FROM --platform=$BUILDPLATFORM grafana/alloy-build-image:v0.1.28@sha256:982eb27dfc3111a3a81eb605d2e80d0c6c21a32842c2652b6390be6cd80da6fb AS build
 
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
@@ -39,7 +39,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 ###
 
-FROM public.ecr.aws/ubuntu/ubuntu:noble
+FROM public.ecr.aws/ubuntu/ubuntu:noble@sha256:b1940c8ecf8ff591053cc5db0303fb882f9fafec50f26892a870bcbe1b30d25a
 
 # Username and uid for alloy user
 ARG UID="473"
diff --git a/Dockerfile.windows b/Dockerfile.windows
index 8517fa6a496..fbcb1de46d4 100644
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -1,5 +1,5 @@
-ARG BASE_IMAGE_GO=library/golang:1.24-windowsservercore-ltsc2022
-ARG BASE_IMAGE_WINDOWS=mcr.microsoft.com/windows/nanoserver:ltsc2022
+ARG BASE_IMAGE_GO=library/golang:1.26-windowsservercore-ltsc2022@sha256:8231fbb9b76c4acf94daf580a35ef5a64480e545aded8062fb29deaf456c145f
+ARG BASE_IMAGE_WINDOWS=mcr.microsoft.com/windows/nanoserver:ltsc2022@sha256:60612a30303eb5a15ce7f53fa2eecf70bca41d72657de0482fbde601ae5f3403
 
 FROM ${BASE_IMAGE_GO} AS builder
 
diff --git a/example/docker-compose/images/grizzly/Dockerfile b/example/docker-compose/images/grizzly/Dockerfile
index 6a040c1625b..ec355b5bfc5 100644
--- a/example/docker-compose/images/grizzly/Dockerfile
+++ b/example/docker-compose/images/grizzly/Dockerfile
@@ -1,3 +1,3 @@
-FROM golang:1.25.7-alpine
+FROM golang:1.26.0-alpine@sha256:d4c4845f5d60c6a974c6000ce58ae079328d03ab7f721a0734277e69905473e5
 
 RUN go install github.com/grafana/grizzly/cmd/grr@v0.7.1
diff --git a/example/docker-compose/images/jb/Dockerfile b/example/docker-compose/images/jb/Dockerfile
index c89e20eaa79..f08420c7286 100644
--- a/example/docker-compose/images/jb/Dockerfile
+++ b/example/docker-compose/images/jb/Dockerfile
@@ -1,3 +1,3 @@
-FROM golang:1.25.7-alpine
+FROM golang:1.26.0-alpine@sha256:d4c4845f5d60c6a974c6000ce58ae079328d03ab7f721a0734277e69905473e5
 
 RUN go install github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
diff --git a/integration-tests/docker/configs/kafka/Dockerfile b/integration-tests/docker/configs/kafka/Dockerfile
index 695d6735e4f..a1419c4a912 100644
--- a/integration-tests/docker/configs/kafka/Dockerfile
+++ b/integration-tests/docker/configs/kafka/Dockerfile
@@ -1,10 +1,10 @@
-FROM golang:1.25.7 as build
+FROM golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 as build
 WORKDIR /app/
 COPY go.mod go.sum ./
 COPY syntax/go.mod syntax/go.sum ./syntax/
 RUN go mod download
 COPY ./integration-tests/docker/configs/kafka/ ./
 RUN CGO_ENABLED=0 go build -o main main.go
-FROM alpine:3.18
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 COPY --from=build /app/main /app/main
 CMD ["/app/main"]
diff --git a/integration-tests/docker/configs/otel-gen/Dockerfile b/integration-tests/docker/configs/otel-gen/Dockerfile
index f9a243cbd16..cde419bf61a 100644
--- a/integration-tests/docker/configs/otel-gen/Dockerfile
+++ b/integration-tests/docker/configs/otel-gen/Dockerfile
@@ -1,10 +1,10 @@
-FROM golang:1.25.7 as build
+FROM golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 as build
 WORKDIR /app/
 COPY go.mod go.sum ./
 COPY syntax/go.mod syntax/go.sum ./syntax/
 RUN go mod download
 COPY ./integration-tests/docker/configs/otel-gen/ ./
 RUN CGO_ENABLED=0 go build -o main main.go
-FROM alpine:3.18
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 COPY --from=build /app/main /app/main
 CMD ["/app/main"]
diff --git a/integration-tests/docker/configs/prom-gen/Dockerfile b/integration-tests/docker/configs/prom-gen/Dockerfile
index fa863766eb8..e22d1b4c4e6 100644
--- a/integration-tests/docker/configs/prom-gen/Dockerfile
+++ b/integration-tests/docker/configs/prom-gen/Dockerfile
@@ -1,10 +1,10 @@
-FROM golang:1.25.7 as build
+FROM golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 as build
 WORKDIR /app/
 COPY go.mod go.sum ./
 COPY syntax/go.mod syntax/go.sum ./syntax/
 RUN go mod download
 COPY ./integration-tests/docker/configs/prom-gen/ ./
 RUN CGO_ENABLED=0 go build -o main main.go
-FROM alpine:3.18
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 COPY --from=build /app/main /app/main
 CMD ["/app/main"]
diff --git a/internal/tools/packaging_test/testdata/centos-systemd.Dockerfile b/internal/tools/packaging_test/testdata/centos-systemd.Dockerfile
index 7b12ab3bb64..fce5c4a327f 100644
--- a/internal/tools/packaging_test/testdata/centos-systemd.Dockerfile
+++ b/internal/tools/packaging_test/testdata/centos-systemd.Dockerfile
@@ -1,6 +1,6 @@
 # Build a CentOS image with systemd configured to test RPM package installation.
 # See the `test-packages` make target and associated script for how this image is used.
-FROM centos:8
+FROM centos:8@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
 ENV container docker
 RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
         systemd-tmpfiles-setup.service ] || rm -f $i; done); \
diff --git a/internal/tools/packaging_test/testdata/debian-systemd.Dockerfile b/internal/tools/packaging_test/testdata/debian-systemd.Dockerfile
index 2dccd6c2d9c..d339d05c5bc 100644
--- a/internal/tools/packaging_test/testdata/debian-systemd.Dockerfile
+++ b/internal/tools/packaging_test/testdata/debian-systemd.Dockerfile
@@ -1,6 +1,6 @@
 # Build a Debian image with systemd configured to test deb package installation.
 # See the `test-packages` make target and associated script for how this image is used.
-FROM debian:10
+FROM debian:10@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225
 ENV container docker
 ENV LC_ALL C
 ENV DEBIAN_FRONTEND noninteractive
diff --git a/tools/build-image/Dockerfile b/tools/build-image/Dockerfile
index bdbfbdab1e4..2375f00ed32 100644
--- a/tools/build-image/Dockerfile
+++ b/tools/build-image/Dockerfile
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.21@sha256:27f9262d43452075f3c410287a2c43f5ef1bf7ec2bb06e8c9eeb1b8d453087bc
 
 # NOTE: This Dockerfile can only be built using BuildKit. BuildKit is used by
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
@@ -15,18 +15,18 @@ ARG GO_RUNTIME=mustoverride
 #
 
 # Dependency: docker (for building images)
-FROM alpine:3.23 as docker
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 as docker
 RUN apk add --no-cache docker-cli docker-cli-buildx
 
 # Dependency: helm
-FROM alpine:3.23 as helm
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 as helm
 RUN apk add --no-cache helm
 
 # Dependency: nsis (for building Windows installers)
 # TODO: Use nsis with conda so that we don't have to pull those packages from the internet.
 # https://nsis.sourceforge.io/Conda
 # TODO: Why do we use i386? Is it correct?
-FROM alpine:3.23 as nsis
+FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 as nsis
 RUN wget -nv https://nsis.sourceforge.io/mediawiki/images/4/4a/AccessControl.zip \
  && unzip AccessControl.zip -d /usr/share/nsis/ \
  && mkdir -p /usr/share/nsis/Plugins/x86-unicode \
@@ -55,7 +55,7 @@ RUN go install sigs.k8s.io/controller-tools/cmd/controller-gen@$CONTROLLER_GEN_V
 
 # rfratto/viceroy contains C cross compilers can be used for our Cgo
 # dependencies.
-FROM rfratto/viceroy:v0.4.0
+FROM rfratto/viceroy:v0.4.0@sha256:7e3f328889b5b0c5c0303dda5e74a89189e6e437d33f609dde98f9a84337e0a2
 
 # Fix apt sources - restrict main bullseye to supported architectures
 RUN rm -f /etc/apt/sources.list \
diff --git a/tools/build-image/windows/Dockerfile b/tools/build-image/windows/Dockerfile
index 0575e814011..0259583f93d 100644
--- a/tools/build-image/windows/Dockerfile
+++ b/tools/build-image/windows/Dockerfile
@@ -1,4 +1,4 @@
-FROM library/golang:1.25.7-windowsservercore-ltsc2022
+FROM library/golang:1.26.0-windowsservercore-ltsc2022@sha256:8231fbb9b76c4acf94daf580a35ef5a64480e545aded8062fb29deaf456c145f
 
 SHELL ["powershell", "-command"]