diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 4f516f19..79e51d68 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -35,6 +35,14 @@ jobs:
       - name: 🔧 Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
+      # Resolve immutable digest for Caddy base
+      - name: 📦 Resolve Caddy base digest
+        id: caddy
+        run: |
+          docker pull caddy:2-alpine
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' caddy:2-alpine)
+          echo "image=$DIGEST" >> $GITHUB_OUTPUT
+
       # Step 4: Log in to GitHub Container Registry
       - name: 🔐 Log in to GitHub Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
@@ -85,6 +93,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          build-args: |
+            CADDY_IMAGE=${{ steps.caddy.outputs.image }}
 
       # Step 8: Run Trivy security scan
       - name: 🔍 Run Trivy vulnerability scanner
@@ -95,6 +105,8 @@ jobs:
           image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'sarif'
           output: 'trivy-results.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
 
       # Step 9: Upload Trivy results to GitHub Security tab
       - name: 📤 Upload Trivy results to GitHub Security
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 5cc4bcc1..6a860ec1 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -32,6 +32,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
+      - name: Resolve Caddy base digest
+        id: caddy
+        run: |
+          docker pull caddy:2-alpine
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' caddy:2-alpine)
+          echo "image=$DIGEST" >> $GITHUB_OUTPUT
+
       - name: Log in to Container Registry
         if: github.event_name != 'pull_request'
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
@@ -70,6 +77,7 @@ jobs:
             VERSION=${{ steps.meta.outputs.version }}
             BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
             VCS_REF=${{ github.sha }}
+            CADDY_IMAGE=${{ steps.caddy.outputs.image }}
 
       - name: Image digest
         run: echo ${{ steps.build-and-push.outputs.digest }}
@@ -82,6 +90,8 @@ jobs:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
           format: 'sarif'
           output: 'trivy-results.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy results to GitHub Security
         if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
diff --git a/Dockerfile b/Dockerfile
index 7fde1a62..1f80eddb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,8 +52,9 @@ RUN CGO_ENABLED=1 GOOS=linux go build \
     -o api ./cmd/api
 
 # ---- Final Runtime with Caddy ----
-# Pin to Alpine variant to keep surface small and CVEs manageable
-FROM caddy:2-alpine
+# Allow pinning Caddy by digest via build-arg
+ARG CADDY_IMAGE=caddy:2-alpine
+FROM ${CADDY_IMAGE}
 WORKDIR /app
 
 # Install runtime dependencies for CPM+ (no bash needed)