diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile
index fd485bd..3d4e68e 100644
--- a/tests/e2e/fixtures/baseline-clean/Dockerfile
+++ b/tests/e2e/fixtures/baseline-clean/Dockerfile
@@ -12,7 +12,7 @@
 #   - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256
 #
 # Expected result: a clean scan with no failures attributable to these rules.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
 
 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in
 # the image is identical to the upstream wolfi-base bundle. Without this, the
diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
index 01323e7..75c2b7d 100644
--- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile
+++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile
@@ -6,7 +6,7 @@
 # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so
 # the SHA-256 of the baked bundle diverges from the pinned value the
 # CertificateAudit OVAL check expects. The rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile
index 8dda79b..0d1411d 100644
--- a/tests/e2e/fixtures/non-https-repo/Dockerfile
+++ b/tests/e2e/fixtures/non-https-repo/Dockerfile
@@ -6,7 +6,7 @@
 # Injects a non-https repository URL into /etc/apk/repositories so the
 # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at
 # least one line and the rule must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
 
 LABEL dev.orbstack.add-ca-certificates=false
 
diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile
index c6dea1f..519b1a3 100644
--- a/tests/e2e/fixtures/remote-access-violation/Dockerfile
+++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile
@@ -7,7 +7,7 @@
 # RemoteAccessServices OVAL check must detect the package record under
 # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule
 # must FAIL.
-FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2
+FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688
 
 LABEL dev.orbstack.add-ca-certificates=false