diff --git a/Dockerfile b/Dockerfile
index e1c7385..a6d05d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,7 +29,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 # Use distroless as minimal base image to package the binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot AS ocm-kit
+FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240 AS ocm-kit
 WORKDIR /
 COPY --from=ocm-kit-builder /workspace/bin/ocm-kit .
 USER 65532:65532