To ensure reproducible builds, pin Dockerfile FROM commands to a specific hash. You can find the hash by running docker pull $IMAGE and then specify it with $IMAGE:$VERSION@sha256:<hash goes here>