diff --git a/scripts/docker_version_control.sh b/scripts/docker_version_control.sh
new file mode 100755
index 000000000000..41e536f08073
--- /dev/null
+++ b/scripts/docker_version_control.sh
@@ -0,0 +1,42 @@
+# This script is for reproducible build.
+# Reproducible build for docker enabled: Before build docker image, this script will change image:tag to image:sha256 in DOCKERFILE.
+# And record image sha256 to a target file.
+#!/bin/bash
+
+IMAGENAME=$1
+DOCKERFILE=$2
+ARCH=$3
+DOCKERFILE_TARGE=$4
+DISTRO=$5
+
+version_file=files/build/versions/default/versions-docker
+new_version_file=target/versions/default/versions-docker
+mkdir -p target/versions/default
+
+. src/sonic-build-hooks/buildinfo/config/buildinfo.config
+
+image_tag=`grep "^FROM " $DOCKERFILE | awk '{print$2}'`
+image=`echo $image_tag | cut -f1 -d:`
+tag=`echo $image_tag | cut -f2 -d:`
+
+# if docker image not in white list, exit
+if [[ "$IMAGENAME" != sonic-slave-* ]] && [[ "$IMAGENAME" != docker-base* ]];then
+    exit 0
+fi
+
+if [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,all,* ]] || [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,docker,* ]]; then
+    if [ -f $version_file ];then
+        hash_value=`grep "${ARCH}:${image_tag}" $version_file | awk -F== '{print$2}'`
+    fi
+    if [ -z $hash_value ];then
+        hash_value=unknown
+    fi
+    oldimage=${image_tag//\//\\/}
+    newimage="${oldimage}@$hash_value"
+    sed -i "s/$oldimage/$newimage/" $DOCKERFILE
+else
+    hash_value=`docker pull $image_tag | grep Digest | awk '{print$2}'`
+fi
+if [[ "$hash_value" != "unknown" ]];then
+    echo -e "${ARCH}:${image_tag}==$hash_value" >> $new_version_file
+fi
diff --git a/scripts/prepare_docker_buildinfo.sh b/scripts/prepare_docker_buildinfo.sh
index aa3aaaa4bed5..d2b2c57185d1 100755
--- a/scripts/prepare_docker_buildinfo.sh
+++ b/scripts/prepare_docker_buildinfo.sh
@@ -22,7 +22,10 @@ if [ -z "$DISTRO" ]; then
     [ -z "$DISTRO" ] && DISTRO=jessie
 fi
 
-DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo 
+# add script for reproducible build. using sha256 instead of tag for docker base image.
+scripts/docker_version_control.sh $@
+
+DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo
 COPY ["buildinfo", "/usr/local/share/buildinfo"]
 RUN dpkg -i /usr/local/share/buildinfo/sonic-build-hooks_1.0_all.deb
 RUN pre_run_buildinfo'
diff --git a/scripts/versions_manager.py b/scripts/versions_manager.py
index a59d85dd8a96..3a46aaafe229 100755
--- a/scripts/versions_manager.py
+++ b/scripts/versions_manager.py
@@ -374,10 +374,12 @@ def __init__(self, target_path="./target", source_path='.'):
     def load_from_target(self):
         dockers_path = os.path.join(self.target_path, 'versions/dockers')
         build_path = os.path.join(self.target_path, 'versions/build')
+        default_path = os.path.join(self.target_path, 'versions/default')
         modules = {}
         self.modules = modules
         file_paths = glob.glob(dockers_path + '/*')
         file_paths += glob.glob(build_path + '/build-*')
+        file_paths += glob.glob(default_path)
         file_paths.append(os.path.join(self.target_path, 'versions/host-image'))
         file_paths.append(os.path.join(self.target_path, 'versions/host-base-image'))
         for file_path in file_paths: