diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f159282..408b55b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,3 +12,12 @@ updates:
           - "*"
     commit-message:
       prefix: "ci"
+
+  - package-ecosystem: docker
+    directory: /docker/peribolos
+    schedule:
+      interval: monthly
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: "ci"
diff --git a/docker/peribolos/Dockerfile b/docker/peribolos/Dockerfile
new file mode 100644
index 0000000..a4907b4
--- /dev/null
+++ b/docker/peribolos/Dockerfile
@@ -0,0 +1,6 @@
+# Pin of the peribolos image consumed by scripts/run-peribolos.sh.
+#
+# This Dockerfile exists solely to give Dependabot's `docker` ecosystem a
+# file to watch — see .github/dependabot.yml. The script parses the FROM
+# line below; it does not run `docker build`.
+FROM us-docker.pkg.dev/k8s-infra-prow/images/peribolos@sha256:6978d5adbb75487cbdb9088eef1437acd8a93a6e75f01abe76c5d0fca853bba8
diff --git a/scripts/run-peribolos.sh b/scripts/run-peribolos.sh
index bec0ea7..7aa264b 100755
--- a/scripts/run-peribolos.sh
+++ b/scripts/run-peribolos.sh
@@ -26,7 +26,17 @@ if [[ $MODE == "apply" && ${GITHUB_ACTIONS:-} == "true" && ${GITHUB_REF:-} != "r
   exit 1
 fi
 
-PERIBOLOS_IMAGE="us-docker.pkg.dev/k8s-infra-prow/images/peribolos:latest"
+# Peribolos image is pinned by digest in docker/peribolos/Dockerfile so
+# Dependabot's `docker` ecosystem (see .github/dependabot.yml) can open PRs
+# when a new digest is available. Parse the FROM line so the digest lives
+# in exactly one place.
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PERIBOLOS_DOCKERFILE="$SCRIPT_DIR/../docker/peribolos/Dockerfile"
+PERIBOLOS_IMAGE="$(awk '/^FROM / {print $2; exit}' "$PERIBOLOS_DOCKERFILE")"
+if [[ -z $PERIBOLOS_IMAGE ]]; then
+  echo "ERROR: failed to parse FROM line from $PERIBOLOS_DOCKERFILE" >&2
+  exit 1
+fi
 
 if [[ -z ${GITHUB_TOKEN:-} ]]; then
   echo "ERROR: GITHUB_TOKEN environment variable is required." >&2