diff --git a/.github/renovate.json b/.github/renovate.json
index 0a5c9b3a..27f6939f 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -47,13 +47,14 @@
     },
     {
       "customType": "regex",
-      "description": "Track Debian base image in Dockerfile",
+      "description": "Track Debian base image digest in Dockerfile for security updates",
       "managerFilePatterns": ["/^Dockerfile$/"],
       "matchStrings": [
-        "ARG CADDY_IMAGE=debian:(?<currentValue>[\\w.-]+)"
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=debian.*\\nARG CADDY_IMAGE=debian:(?<currentValue>trixie-slim@sha256:[a-f0-9]+)"
       ],
       "depNameTemplate": "debian",
-      "datasourceTemplate": "docker"
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
     }
   ],
 
diff --git a/Dockerfile b/Dockerfile
index c4e55342..20c4d5af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,8 +22,8 @@ ARG CADDY_VERSION=2.11.0-beta.2
 ## upstream caddy image tags while still shipping a pinned caddy binary.
 ## Using trixie (Debian 13 testing) for faster security updates - bookworm
 ## packages marked "wont-fix" are actively maintained in trixie.
-# renovate: datasource=docker depName=debian
-ARG CADDY_IMAGE=debian:trixie-slim
+# renovate: datasource=docker depName=debian versioning=docker
+ARG CADDY_IMAGE=debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0
 
 # ---- Cross-Compilation Helpers ----
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0 AS xx