diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 6b60aa1abee366fa24f3a7e9931386f99b645fbc..3c57e2d3f4ebd8a5cd8a30613d74022294818976 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -69,6 +69,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea
         with:
           sarif_file: results.sarif
diff --git a/tools/docker/ArchLinux/default.dockerfile b/tools/docker/ArchLinux/default.dockerfile
index a9c338a1036be2bcff06bc6185e055224eb833d5..2c8c3a89c4c12947c4bf8ba11f99375b1d9d7394 100644
--- a/tools/docker/ArchLinux/default.dockerfile
+++ b/tools/docker/ArchLinux/default.dockerfile
@@ -1,4 +1,4 @@
-FROM library/archlinux:latest
+FROM library/archlinux:latest@sha256:c8501ab8b970205491501ba01d9bce9a04d70537fc15596360f1ce1011b08569
 ARG GIT_COMMIT=main
 LABEL git-commit=$GIT_COMMIT vendor=pocl distro=Arch version=1.0
 
diff --git a/tools/docker/ArchLinux/distro.dockerfile b/tools/docker/ArchLinux/distro.dockerfile
index 4c80b95e4fcfb84fafe5d561e297fefb8d9e1972..c0dbc5f7d99d1c723516f023045ff5798c3bc1d8 100644
--- a/tools/docker/ArchLinux/distro.dockerfile
+++ b/tools/docker/ArchLinux/distro.dockerfile
@@ -1,4 +1,4 @@
-FROM library/archlinux:latest
+FROM library/archlinux:latest@sha256:c8501ab8b970205491501ba01d9bce9a04d70537fc15596360f1ce1011b08569
 ARG GIT_COMMIT=main
 LABEL git-commit=$GIT_COMMIT vendor=pocl distro=Arch version=1.0
 
diff --git a/tools/docker/Ubuntu/22_04.dockerfile b/tools/docker/Ubuntu/22_04.dockerfile
index 94a94dc01d2ab3856f90696b3f2577275c365cce..3d75101441760129a5977f9ff33cc65d7cb1c162 100644
--- a/tools/docker/Ubuntu/22_04.dockerfile
+++ b/tools/docker/Ubuntu/22_04.dockerfile
@@ -1,4 +1,4 @@
-FROM amd64/ubuntu:22.04
+FROM amd64/ubuntu:22.04@sha256:3d1556a8a18cf5307b121e0a98e93f1ddf1f3f8e092f1fddfd941254785b95d7
 
 ARG GIT_COMMIT=main
 ARG GH_PR
@@ -11,6 +11,10 @@ ENV TERM=dumb
 ENV TZ=Etc/UTC
 ENV DEBIAN_FRONTEND=noninteractive
 
+# these are only necessary for 22.04 to upgrade ocl-icd to 2.3.x (which supports OpenCL 3.0)
+COPY ocl-icd-ubuntu-ppa.list /etc/apt/sources.list.d/
+COPY ocl-icd_ubuntu_ppa.gpg /etc/apt/trusted.gpg.d/
+
 RUN apt update
 RUN apt upgrade -y
 
diff --git a/tools/docker/Ubuntu/24_04.dockerfile b/tools/docker/Ubuntu/24_04.dockerfile
index 9c933b0450b17bf9341a08d214836c6d0a614b40..6c635d5bff95039d5cf4cb30113d3fed9dbe67ad 100644
--- a/tools/docker/Ubuntu/24_04.dockerfile
+++ b/tools/docker/Ubuntu/24_04.dockerfile
@@ -1,4 +1,4 @@
-FROM amd64/ubuntu:24.04
+FROM amd64/ubuntu:24.04@sha256:74f92a6b3589aa5cac6028719aaac83de4037bad4371ae79ba362834389035aa
 
 ARG GIT_COMMIT=main
 ARG GH_PR
diff --git a/tools/docker/Ubuntu/conformance.dockerfile b/tools/docker/Ubuntu/conformance.dockerfile
index 37b29d8c0e1c24ab59bc7b7bf648a7c1d0c375ec..be4681fa8860642c8ef7fe97927059629c3bf7b2 100644
--- a/tools/docker/Ubuntu/conformance.dockerfile
+++ b/tools/docker/Ubuntu/conformance.dockerfile
@@ -1,11 +1,9 @@
-###################
-
-FROM amd64/ubuntu:22.04
+FROM amd64/ubuntu:24.04@sha256:74f92a6b3589aa5cac6028719aaac83de4037bad4371ae79ba362834389035aa
 
 ARG GIT_COMMIT=main
 ARG GH_PR
 ARG GH_SLUG=pocl/pocl
-ARG LLVM_VERSION=14
+ARG LLVM_VERSION=17
 
 LABEL git-commit=$GIT_COMMIT vendor=pocl distro=Ubuntu version=1.0
 
@@ -13,15 +11,11 @@ ENV TERM=dumb
 ENV TZ=Etc/UTC
 ENV DEBIAN_FRONTEND=noninteractive
 
-COPY ocl-icd-ubuntu-ppa.list /etc/apt/sources.list.d/
-COPY ocl-icd_ubuntu_ppa.gpg /etc/apt/trusted.gpg.d/
-
 RUN apt update
 RUN apt upgrade -y
 
 RUN apt install -y tzdata
-RUN apt install -y build-essential cmake git pkg-config libclang-${LLVM_VERSION}-dev clang-${LLVM_VERSION} libclang-cpp${LLVM_VERSION}-dev llvm-${LLVM_VERSION}-dev make ninja-build ocl-icd-libopencl1 ocl-icd-dev libhwloc-dev zlib1g zlib1g-dev  dialog apt-utils
-RUN ln -s /usr/lib/x86_64-linux-gnu/libOpenCL.so.1 /usr/lib/x86_64-linux-gnu/libOpenCL.so
+RUN apt install -y build-essential cmake git pkg-config libclang-${LLVM_VERSION}-dev clang-${LLVM_VERSION} libclang-cpp${LLVM_VERSION}-dev llvm-${LLVM_VERSION}-dev libllvmspirvlib-${LLVM_VERSION}-dev make ninja-build ocl-icd-libopencl1 ocl-icd-dev libhwloc-dev zlib1g zlib1g-dev  dialog apt-utils
 
 RUN cd /home ; git clone https://github.com/$GH_SLUG.git ; cd /home/pocl ; git checkout $GIT_COMMIT
 RUN cd /home/pocl ; test -z "$GH_PR" || (git fetch origin +refs/pull/$GH_PR/merge && git checkout -qf FETCH_HEAD) && :
diff --git a/tools/docker/Ubuntu/distro.dockerfile b/tools/docker/Ubuntu/distro.dockerfile
index b9dbcfdab81d4c5cbb7231a7a2aa02fa6084bba4..e34fde4ca7504289748b271b955dc68e991e848e 100644
--- a/tools/docker/Ubuntu/distro.dockerfile
+++ b/tools/docker/Ubuntu/distro.dockerfile
@@ -1,9 +1,9 @@
-FROM amd64/ubuntu:22.04
+FROM amd64/ubuntu:24.04@sha256:74f92a6b3589aa5cac6028719aaac83de4037bad4371ae79ba362834389035aa
 
 ARG GIT_COMMIT=main
 ARG GH_PR
 ARG GH_SLUG=pocl/pocl
-ARG LLVM_VERSION=13
+ARG LLVM_VERSION=17
 
 LABEL git-commit=$GIT_COMMIT vendor=pocl distro=Ubuntu version=1.0