diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
index bd074af..2f6eb44 100644
--- a/.clusterfuzzlite/Dockerfile
+++ b/.clusterfuzzlite/Dockerfile
@@ -1,7 +1,9 @@
 # ClusterFuzzLite build image for aemo-mdff-reader.
 # Uses the OSS-Fuzz Python base image, which provides atheris and
 # the compile_python_fuzzer helper.
-FROM gcr.io/oss-fuzz-base/base-builder-python
+# Pinned by SHA256 (closes Scorecard PinnedDependenciesID); Dependabot's
+# docker ecosystem keeps the digest fresh.
+FROM gcr.io/oss-fuzz-base/base-builder-python@sha256:9c97273c8de83d22a40462fdda4371d1ff16eac065c72ee03bef7fdb1aaaf458
 
 COPY . $SRC/aemo-mdff-reader
 WORKDIR $SRC/aemo-mdff-reader
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 91d5437..1060b4b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,6 +13,12 @@ updates:
         update-types:
           - "minor"
           - "patch"
+  # Keep the OSS-Fuzz base image in .clusterfuzzlite/Dockerfile current.
+  - package-ecosystem: "docker"
+    directory: "/.clusterfuzzlite"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
   - package-ecosystem: "pip"
     directory: "/"
     schedule: