diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ed14615e5..8cef838c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,24 +13,24 @@ jobs:
         name: Release Build
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
             - name: Set up JDK 17
-              uses: actions/setup-java@v3
+              uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
               with:
                   distribution: 'temurin'
                   java-version: 17
                   architecture: x64
 
             - name: Cache Maven packages
-              uses: actions/cache@v3.3.2
+              uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
               with:
                   path: ~/.m2
                   key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
                   restore-keys: ${{ runner.os }}-m2
 
             - id: reponame
-              uses: ASzc/change-string-case-action@v6
+              uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6
               with:
                   string: ${{github.event.repository.name}}
         
@@ -49,7 +49,7 @@ jobs:
 
             - name: "Docker Build Release"
               if: startsWith(github.ref, 'refs/heads/v') || github.ref == 'refs/heads/main' && github.event_name == 'push' 
-              uses: docker/build-push-action@v5.0.0
+              uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
               with:
                 context: ./
                 file: ./Dockerfile
diff --git a/Dockerfile b/Dockerfile
index 02d89dcd6..16337ccd5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:17-jre-focal
+FROM docker.io/eclipse-temurin:17-jre-focal@sha256:d7ec0d23cc1675eb16a266af1d4f5d41db60260af3fcd81c42de2e6ed3dc4dba
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"
 
diff --git a/Dockerfile_desktop b/Dockerfile_desktop
index ffc3837f6..9d03f1b0b 100644
--- a/Dockerfile_desktop
+++ b/Dockerfile_desktop
@@ -1,4 +1,4 @@
-FROM lscr.io/linuxserver/webtop:ubuntu-xfce
+FROM lscr.io/linuxserver/webtop:ubuntu-xfce@sha256:2b516c1d4c3e5003e267a552e3f466f71bb07858d65e773cd6bac2a9214d122a
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"