diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0c4c424389..3b5af02be7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ jobs:
       # Label used to access the service container
       db:
         # Docker Hub image
-        image: postgres:16
+        image: postgres:16@sha256:4b7183ac05f8ef417db21fd72d71047a4238340c261d3cc3ddb6d579ab5071ae
         # Set health checks to wait until postgres has started
         options: >-
           --health-cmd pg_isready
@@ -23,12 +23,12 @@ jobs:
           - 5432:5432
       
       redis:
-        image: redis:5.0.14
+        image: redis:5.0.14@sha256:fc5ecd863862f89f04334b7cbb57e93c9790478ea8188a49f6e57b0967d38c75
         ports:
           - 6379:6379
 
       opensearch:
-        image: opensearchproject/opensearch:1.3.20
+        image: opensearchproject/opensearch:1.3.20@sha256:0ecf20d1ec1b682fa1cf36c74900b547bd1d7da5817a14edf4236472e110863e
         env:
           network.host: "0.0.0.0"
           http.cors.enabled: "true"
@@ -40,7 +40,7 @@ jobs:
           - 9200:9200
   
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Apt update
         run: sudo apt-get update -y
@@ -49,7 +49,7 @@ jobs:
         run: cat Aptfile | sudo xargs apt-get install
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           enable-cache: true
 
@@ -135,17 +135,17 @@ jobs:
           DISABLE_WEBPACK_LOADER_STATS: 'True'
 
       - name: Upload coverage to CodeCov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           file: ./coverage.xml
   
   javascript-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up NodeJS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: "14.18.2"
           cache: 'yarn'
@@ -178,6 +178,6 @@ jobs:
         run: node node_modules/webpack/bin/webpack.js --config webpack.config.prod.js --bail
 
       - name: Upload coverage to CodeCov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           file: coverage/lcov.info
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index abdf474f20..333ea9dbdf 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -15,7 +15,7 @@ jobs:
       github.event_name == 'workflow_dispatch' ||
       github.event.workflow_run.conclusion == 'success'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: release
       - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820
diff --git a/.github/workflows/release-candiate.yml b/.github/workflows/release-candiate.yml
index 67f32cb11c..635d553ce5 100644
--- a/.github/workflows/release-candiate.yml
+++ b/.github/workflows/release-candiate.yml
@@ -15,7 +15,7 @@ jobs:
       github.event_name == 'workflow_dispatch' ||
       github.event.workflow_run.conclusion == 'success'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: release-candidate
       - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820
diff --git a/Dockerfile b/Dockerfile
index 69a3d8fec7..9f013240f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-slim AS base
+FROM python:3.11-slim@sha256:a3ab0b966bc4e91546a033e22093cb840908979487a9fc0e6e38295747e49ac0 AS base
 
 LABEL maintainer="ODL DevOps <mitx-devops@mit.edu>"
 
@@ -25,7 +25,7 @@ ENV \
   UV_PROJECT_ENVIRONMENT="/opt/venv"
 ENV PATH="/opt/venv/bin:$PATH"
 
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d /uv /uvx /usr/local/bin/
 
 COPY pyproject.toml uv.lock /src/
 
@@ -37,7 +37,7 @@ USER mitodl
 WORKDIR /src
 RUN uv sync --frozen --no-install-project --no-dev
 
-FROM node:14.18.2 AS node_builder
+FROM node:14.18.2@sha256:e5c6aac226819f88d6431a56f502972d323d052b1b6108094ba7e6b07154a542 AS node_builder
 COPY . /src
 WORKDIR /src
 RUN yarn install --immutable
diff --git a/Dockerfile-node b/Dockerfile-node
index 3f55679b0f..20023a4ef3 100644
--- a/Dockerfile-node
+++ b/Dockerfile-node
@@ -1,4 +1,4 @@
-FROM node:14.18.2-bullseye
+FROM node:14.18.2-bullseye@sha256:4522c89e65c887a917d220cf759342552efa24a1cdfe2d50203890a0ef22205c
 
 LABEL maintainer "ODL DevOps <mitx-devops@mit.edu>"
 
diff --git a/docker-compose.selenium.yml b/docker-compose.selenium.yml
index 56bb6a847d..ace18a8c6b 100644
--- a/docker-compose.selenium.yml
+++ b/docker-compose.selenium.yml
@@ -34,14 +34,14 @@ services:
       - chrome
 
   hub:
-    image: selenium/hub:3.141.59-20210607
+    image: selenium/hub:3.141.59-20210607@sha256:7461fde60dcb6e0ff0ef514fd16c39dc53638d57f05893ab33150eba9649cb51
     environment:
       GRID_TIMEOUT: '3600'
     ports:
       - "4444:4444"
 
   chrome:
-    image: selenium/node-chrome:3.141.59-20210713
+    image: selenium/node-chrome:3.141.59-20210713@sha256:ca80b8895e72e67bdab2fe4ea9d26106fa684269b8d449c889de67883fddb289
     environment:
       - HUB_PORT_4444_TCP_ADDR=hub
       - HUB_PORT_4444_TCP_PORT=4444
diff --git a/docker-compose.yml b/docker-compose.yml
index c7f294b37a..78fc652159 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,7 @@ x-environment:
 
 services:
   db:
-    image: postgres:16
+    image: postgres:16@sha256:4b7183ac05f8ef417db21fd72d71047a4238340c261d3cc3ddb6d579ab5071ae
     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust
       - POSTGRES_USER=postgres
@@ -30,12 +30,12 @@ services:
       - "5432"
 
   redis:
-    image: redis:5.0.14
+    image: redis:5.0.14@sha256:fc5ecd863862f89f04334b7cbb57e93c9790478ea8188a49f6e57b0967d38c75
     ports:
       - "6379"
 
   opensearch-node1:
-    image: opensearchproject/opensearch:1.3.20
+    image: opensearchproject/opensearch:1.3.20@sha256:0ecf20d1ec1b682fa1cf36c74900b547bd1d7da5817a14edf4236472e110863e
     container_name: opensearch-node1
     environment:
       - cluster.name=opensearch-cluster
@@ -59,7 +59,7 @@ services:
       - 9600:9600 # required for Performance Analyzer
 
   nginx:
-    image: nginx:1.29
+    image: nginx:1.29@sha256:1881968aff6f7cdcc4b888c00a11f4ce241ad7ec957e0cb4a9e19e93a3ff87ea
     ports:
       - "8079:8079"
     links:
@@ -123,7 +123,7 @@ services:
       - sftp
 
   sftp:
-    image: atmoz/sftp
+    image: atmoz/sftp@sha256:0960390462a4441dbb63698d7c185b76a41ffcee7b78ff4adf275f3e66f9c475
     ports:
         - "2022:22"
     command: odl:123:1001:1001:results,results/topvue
diff --git a/package.json b/package.json
index 58e26b666f..535fa783aa 100644
--- a/package.json
+++ b/package.json
@@ -149,8 +149,8 @@
     "repl": "node --require ./scripts/repl.js"
   },
   "devDependencies": {
-    "enzyme": "^3.10.0",
-    "enzyme-adapter-react-16": "^1.15.2"
+    "enzyme": "3.10.0",
+    "enzyme-adapter-react-16": "1.15.2"
   },
   "resolutions": {
     "merge": "^2.1.1"