diff --git a/app/Dockerfile b/app/Dockerfile
index d11579bf..5afd9d81 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,4 +1,5 @@
-FROM python:3-alpine as release
+# Run `make update-docker-digest` to update the image
+FROM python:3-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59 as release
 
 RUN adduser --system --disabled-password --no-create-home app
 
@@ -7,7 +8,7 @@ WORKDIR /app
 RUN apk update && \
   apk --no-cache add \
   aws-cli~=2 \
-  postgresql14-client~=14
+  postgresql17-client~=17
 
 COPY requirements.txt ./
 
diff --git a/app/Makefile b/app/Makefile
index 43d91427..b14c1a4f 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -7,3 +7,6 @@ release-build:
 		--platform=linux/amd64 \
 		$(OPTS) \
 		.
+
+update-docker-digest:
+	../template-only-bin/update-docker-digest Dockerfile
diff --git a/template-only-bin/update-docker-digest b/template-only-bin/update-docker-digest
new file mode 100755
index 00000000..208bd291
--- /dev/null
+++ b/template-only-bin/update-docker-digest
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+file="$1"
+
+function get_image_digest() {
+    local image_name=$1
+    skopeo inspect --format "{{ .Digest }}" "docker://${image_name}"
+}
+
+images_used_with_digest=$(perl -lne 'print $1 if /^FROM (.*)@.*$/' "${file}")
+
+while IFS= read -r image; do
+    latest_digest=$(get_image_digest "${image}")
+    sed -ri "s|^FROM ${image}@[[:alnum:]:]+ (.*)|FROM ${image}@${latest_digest} \1|" "${file}"
+done <<< "${images_used_with_digest}"