diff --git a/Web/Resgrid.Web.Eventing/Dockerfile b/Web/Resgrid.Web.Eventing/Dockerfile
index 15bec7781..5fc4b4eae 100644
--- a/Web/Resgrid.Web.Eventing/Dockerfile
+++ b/Web/Resgrid.Web.Eventing/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
 ARG BUILD_VERSION=3.5.0
 
@@ -26,11 +27,13 @@ WORKDIR "/src/Web/Resgrid.Web.Eventing"
 FROM build AS publish
 ARG BUILD_VERSION
 RUN dotnet publish "Resgrid.Web.Eventing.csproj" -c Release -o /app/publish  -p:Version=${BUILD_VERSION}
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.9.0/wait /app/publish/wait
+ADD --checksum=sha256:2241be671073520e028b2f12df1e9ef0419014cffb5670b7a80b2080804be17d https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /app/publish/wait
 RUN chmod +x /app/publish/wait
 
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
+# docker-compose-wait waits for WAIT_HOSTS, then execs WAIT_COMMAND.
+# These hardened (distroless) images have no shell, so we can't chain with "sh -c".
+ENV WAIT_COMMAND="dotnet Resgrid.Web.Eventing.dll"
 ENTRYPOINT ["./wait"]
-CMD ["dotnet", "Resgrid.Web.Eventing.dll"]
diff --git a/Web/Resgrid.Web.Mcp/Dockerfile b/Web/Resgrid.Web.Mcp/Dockerfile
index 74f64d1b6..19d83a50d 100644
--- a/Web/Resgrid.Web.Mcp/Dockerfile
+++ b/Web/Resgrid.Web.Mcp/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
 
 ARG BUILD_VERSION=3.5.0
@@ -37,11 +38,13 @@ WORKDIR "/src/Web/Resgrid.Web.Mcp"
 FROM build AS publish
 ARG BUILD_VERSION
 RUN dotnet publish "Resgrid.Web.Mcp.csproj" -c Release -o /app/publish -p:Version=${BUILD_VERSION}
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.9.0/wait /app/publish/wait
+ADD --checksum=sha256:2241be671073520e028b2f12df1e9ef0419014cffb5670b7a80b2080804be17d https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /app/publish/wait
 RUN chmod +x /app/publish/wait
 
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
+# docker-compose-wait waits for WAIT_HOSTS, then execs WAIT_COMMAND.
+# These hardened (distroless) images have no shell, so we can't chain with "sh -c".
+ENV WAIT_COMMAND="dotnet Resgrid.Web.Mcp.dll"
 ENTRYPOINT ["./wait"]
-CMD ["dotnet", "Resgrid.Web.Mcp.dll"]
diff --git a/Web/Resgrid.Web.Services/Dockerfile b/Web/Resgrid.Web.Services/Dockerfile
index ea420f22a..58de9e417 100644
--- a/Web/Resgrid.Web.Services/Dockerfile
+++ b/Web/Resgrid.Web.Services/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
 
 ARG BUILD_VERSION=3.5.0
@@ -37,11 +38,13 @@ WORKDIR "/src/Web/Resgrid.Web.Services"
 FROM build AS publish
 ARG BUILD_VERSION
 RUN dotnet publish "Resgrid.Web.Services.csproj" -c Release -o /app/publish -p:Version=${BUILD_VERSION}
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.9.0/wait /app/publish/wait
+ADD --checksum=sha256:2241be671073520e028b2f12df1e9ef0419014cffb5670b7a80b2080804be17d https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /app/publish/wait
 RUN chmod +x /app/publish/wait
 
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
+# docker-compose-wait waits for WAIT_HOSTS, then execs WAIT_COMMAND.
+# These hardened (distroless) images have no shell, so we can't chain with "sh -c".
+ENV WAIT_COMMAND="dotnet Resgrid.Web.Services.dll"
 ENTRYPOINT ["./wait"]
-CMD ["dotnet", "Resgrid.Web.Services.dll"]
diff --git a/Web/Resgrid.Web/Dockerfile b/Web/Resgrid.Web/Dockerfile
index aaa01e4a4..4716226b5 100644
--- a/Web/Resgrid.Web/Dockerfile
+++ b/Web/Resgrid.Web/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
 ARG BUILD_VERSION=3.5.0
 
@@ -55,11 +56,13 @@ RUN for i in 1 2 3; do libman restore && break || { echo "libman restore attempt
 ENV SKIP_LIBMAN_RESTORE=1
 RUN dotnet publish "Resgrid.Web.csproj" -c Release -o /app/publish -p:Version=${BUILD_VERSION}
 ## Download the wait script in the build stage where a shell is available
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.9.0/wait /app/publish/wait
+ADD --checksum=sha256:2241be671073520e028b2f12df1e9ef0419014cffb5670b7a80b2080804be17d https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /app/publish/wait
 RUN chmod +x /app/publish/wait
 
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
+# docker-compose-wait waits for WAIT_HOSTS, then execs WAIT_COMMAND.
+# These hardened (distroless) images have no shell, so we can't chain with "sh -c".
+ENV WAIT_COMMAND="dotnet Resgrid.Web.dll"
 ENTRYPOINT ["./wait"]
-CMD ["dotnet", "Resgrid.Web.dll"]
diff --git a/Workers/Resgrid.Workers.Console/Dockerfile b/Workers/Resgrid.Workers.Console/Dockerfile
index 196c0e0a1..433f0ad2f 100644
--- a/Workers/Resgrid.Workers.Console/Dockerfile
+++ b/Workers/Resgrid.Workers.Console/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.7
 #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
 ARG BUILD_VERSION=3.5.0
 
@@ -37,7 +38,7 @@ WORKDIR "/src/Workers/Resgrid.Workers.Console"
 FROM build AS publish
 ARG BUILD_VERSION
 RUN dotnet publish "Resgrid.Workers.Console.csproj" -c Release -o /app/publish -p:Version=${BUILD_VERSION}
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.9.0/wait /app/publish/wait
+ADD --checksum=sha256:2241be671073520e028b2f12df1e9ef0419014cffb5670b7a80b2080804be17d https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /app/publish/wait
 RUN chmod +x /app/publish/wait
 
 ## Install wkhtmltopdf and capture its runtime libraries
@@ -76,5 +77,7 @@ ENV LD_LIBRARY_PATH="/usr/local/lib/wkhtmltopdf"
 
 COPY --from=publish /app/publish .
 
+# docker-compose-wait waits for WAIT_HOSTS, then execs WAIT_COMMAND.
+# These hardened (distroless) images have no shell, so we can't chain with "sh -c".
+ENV WAIT_COMMAND="dotnet Resgrid.Workers.Console.dll"
 ENTRYPOINT ["./wait"]
-CMD ["dotnet", "Resgrid.Workers.Console.dll"]