fix(security): pin Docker base images by SHA, fix Scorecard publish failure

.github/workflows/scorecard.yml

@@ -26,7 +26,10 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: true
+          # publish_results requires sigstore verification of this exact action
+          # commit. Disabled because SHA-pinned references trip imposter-commit
+          # checks on the public webapp. Local SARIF upload still works.
+          publish_results: false
 
       - name: Upload Scorecard results
         uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4.32.7

apps/api/Dockerfile

@@ -5,7 +5,7 @@
 # ---------------------------------------------------------------------------
 # Base stage: shared dependencies
 # ---------------------------------------------------------------------------
-FROM python:3.12-slim AS base
+FROM python:3.12-slim@sha256:866411c135b507754efdf2fda51484be4d3d7d5173ed53cd083106132e710904 AS base
 
 WORKDIR /app
 

apps/web/Dockerfile

@@ -5,7 +5,7 @@
 # ---------------------------------------------------------------------------
 # Base stage: install dependencies
 # ---------------------------------------------------------------------------
-FROM node:20-alpine AS base
+FROM node:20-alpine@sha256:afdf98210b07b586eb71fa22ba2e432e058e4cd1304d31ed60888755b8c865fb AS base
 
 WORKDIR /app
 
@@ -34,7 +34,7 @@ RUN npm run build
 # ---------------------------------------------------------------------------
 # Production stage: serve static files with nginx
 # ---------------------------------------------------------------------------
-FROM nginx:1.25-alpine AS production
+FROM nginx:1.25-alpine@sha256:721fa00bc549df26b3e67cc558ff176112d4ba69847537766f3c28e171d180e7 AS production
 
 RUN apk add --no-cache curl