diff --git a/backend/Makefile b/backend/Makefile
index 07551fd06..2e0ddb89e 100644
--- a/backend/Makefile
+++ b/backend/Makefile
@@ -4,7 +4,6 @@ HELM_CMD ?= helm upgrade --install
 
 CURRENT_COMMIT := $(shell git rev-parse --short=7 HEAD)
 ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
-ARO_HCP_IMAGE_REPOSITORY ?= arohcpbackend
 ARO_HCP_BACKEND_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(ARO_HCP_IMAGE_REPOSITORY)
 
 .DEFAULT_GOAL := backend
@@ -37,7 +36,7 @@ push: image
 .PHONY: push
 
 deploy:
-	IMAGE_TAG=$$(../get-tag.sh ${ARO_HCP_IMAGE_ACR} arohcpbackend) \
+	DIGEST=$$(../get-digest.sh ${ARO_HCP_IMAGE_ACR} arohcpbackend) \
 	BACKEND_MI_CLIENT_ID=$$(az identity show \
 			-g ${RESOURCEGROUP} \
 			-n backend \
@@ -51,9 +50,9 @@ deploy:
 		--set configMap.databaseUrl="$${DB_URL}" \
 		--set configMap.backendMiClientId="$${BACKEND_MI_CLIENT_ID}" \
 		--set serviceAccount.workloadIdentityClientId="$${BACKEND_MI_CLIENT_ID}" \
-		--set configMap.currentVersion=${ARO_HCP_BACKEND_IMAGE}:$${IMAGE_TAG} \
+		--set configMap.currentVersion=${ARO_HCP_BACKEND_IMAGE}:$${DIGEST} \
 		--set configMap.location=${LOCATION} \
-		--set deployment.imageName=${ARO_HCP_BACKEND_IMAGE}:$${IMAGE_TAG} \
+		--set deployment.imageName=${ARO_HCP_BACKEND_IMAGE}@$${DIGEST} \
 		--namespace aro-hcp
 .PHONY: deploy
 
diff --git a/backend/pipeline.yaml b/backend/pipeline.yaml
index 80768dd7f..b2be59660 100644
--- a/backend/pipeline.yaml
+++ b/backend/pipeline.yaml
@@ -24,7 +24,9 @@ resourceGroups:
       configRef: svc.aks.name
     - name: DB_NAME
       configRef: frontend.cosmosDB.name
-    - name: COMMIT
-      configRef: backend.imageTag
+    - name: IMAGE_DIGEST
+      configRef: backend.image.digest
+    - name: ARO_HCP_IMAGE_REPOSITORY
+      configRef: backend.image.repository
     - name: ISTO_TAG
       configRef: svc.istio.tag
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
index e98a8333b..ea9c7623d 100644
--- a/config/config.msft.yaml
+++ b/config/config.msft.yaml
@@ -226,9 +226,13 @@ clouds:
           image:
             digest: sha256:4affed9ff6397a5c44e9d1451fd58667f56e826b122819ccb6e1e8e045803c18
       frontend:
-        imageTag: 8dab517
+        image:
+          repository: arohcpfrontend
+          digest: sha256:0c087b6cdcc34d6e66c252dc21880b53a99e869b0ebd928ddbd7a06f481140ca
       backend:
-        imageTag: 8dab517
+        image:
+          repository: arohcpbackend
+          digest: sha256:eba8cee29ab7367f0acc2856d5bf01e13d535b0fabe6899784a01378fdfe74a9
 
     environments:
       int:
diff --git a/config/config.schema.json b/config/config.schema.json
index 6774208d7..5e230038b 100644
--- a/config/config.schema.json
+++ b/config/config.schema.json
@@ -360,20 +360,20 @@
     "backend": {
       "type": "object",
       "properties": {
-        "imageTag": {
-          "type": "string"
+        "image": {
+          "$ref": "#/definitions/containerImage"
         }
       },
       "additionalProperties": false,
       "required": [
-        "imageTag"
+        "image"
       ]
     },
     "frontend": {
       "type": "object",
       "properties": {
-        "imageTag": {
-          "type": "string"
+        "image": {
+          "$ref": "#/definitions/containerImage"
         },
         "cosmosDB": {
           "type": "object",
@@ -421,7 +421,7 @@
       },
       "additionalProperties": false,
       "required": [
-        "imageTag",
+        "image",
         "cosmosDB",
         "cert"
       ]
diff --git a/config/config.yaml b/config/config.yaml
index dc4569db5..9b48abcc2 100644
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -228,10 +228,14 @@ clouds:
           digest: sha256:c802cd5c71b279926ed3f02871d5a414d0b852dd276406046fc4e893404d468f
       # Frontend
       frontend:
-        imageTag: '' # if empty uses commit sha of repo
+        image:
+          repository: arohcpfrontend
+          digest: '' # if empty uses commit sha of repo
       # Backend
       backend:
-        imageTag: '' # if empty uses commit sha of repo
+        image:
+          repository: arohcpbackend
+          digest: '' # if empty uses commit sha of repo
       # Shared SVC KV
       serviceKeyVault:
         name: 'aro-hcp-dev-svc-kv'
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
index 575b7bab5..83a1ff331 100644
--- a/config/public-cloud-cs-pr.json
+++ b/config/public-cloud-cs-pr.json
@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
index a8c5a6a63..b0bdfda8c 100644
--- a/config/public-cloud-dev.json
+++ b/config/public-cloud-dev.json
@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
index 00a182e22..1a77fb07e 100644
--- a/config/public-cloud-msft-int.json
+++ b/config/public-cloud-msft-int.json
@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-ev2-identity",
   "backend": {
-    "imageTag": "8dab517"
+    "image": {
+      "digest": "sha256:eba8cee29ab7367f0acc2856d5bf01e13d535b0fabe6899784a01378fdfe74a9",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Auto"
     },
-    "imageTag": "8dab517"
+    "image": {
+      "digest": "sha256:0c087b6cdcc34d6e66c252dc21880b53a99e869b0ebd928ddbd7a06f481140ca",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-ev2-identity",
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
index a47d196ee..1e2383416 100644
--- a/config/public-cloud-personal-dev.json
+++ b/config/public-cloud-personal-dev.json
@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
diff --git a/frontend/Makefile b/frontend/Makefile
index 49da76f31..915cd6a0d 100644
--- a/frontend/Makefile
+++ b/frontend/Makefile
@@ -4,7 +4,6 @@ HELM_CMD ?= helm upgrade --install
 
 CURRENT_COMMIT := $(shell git rev-parse --short=7 HEAD)
 ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
-ARO_HCP_IMAGE_REPOSITORY ?= arohcpfrontend
 ARO_HCP_FRONTEND_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(ARO_HCP_IMAGE_REPOSITORY)
 
 .DEFAULT_GOAL := frontend
@@ -41,7 +40,7 @@ push: image
 	docker push ${ARO_HCP_FRONTEND_IMAGE}:${CURRENT_COMMIT}
 
 deploy:
-	IMAGE_TAG=$$(../get-tag.sh ${ARO_HCP_IMAGE_ACR} arohcpfrontend) \
+	DIGEST=$$(../get-digest.sh ${ARO_HCP_IMAGE_ACR} arohcpfrontend) \
 	FRONTEND_MI_CLIENT_ID=$$(az identity show \
 			-g ${RESOURCEGROUP} \
 			-n frontend \
@@ -79,9 +78,9 @@ deploy:
 		--set serviceAccount.workloadIdentityTenantId="$${FRONTEND_MI_TENANT_ID}" \
 		--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
 		--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
-		--set configMap.currentVersion=${ARO_HCP_FRONTEND_IMAGE}:$${IMAGE_TAG} \
+		--set configMap.currentVersion=${ARO_HCP_FRONTEND_IMAGE}:$${DIGEST} \
 		--set configMap.location=${LOCATION}  \
-		--set deployment.imageName=${ARO_HCP_FRONTEND_IMAGE}:$${IMAGE_TAG} \
+		--set deployment.imageName=${ARO_HCP_FRONTEND_IMAGE}@$${DIGEST} \
 		--set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \
 		--set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \
 		--set clusterService.namespace=${CS_NAMESPACE} \
diff --git a/frontend/pipeline.yaml b/frontend/pipeline.yaml
index 77000fbb3..c0048ff03 100644
--- a/frontend/pipeline.yaml
+++ b/frontend/pipeline.yaml
@@ -24,8 +24,10 @@ resourceGroups:
       configRef: svc.aks.name
     - name: DB_NAME
       configRef: frontend.cosmosDB.name
-    - name: COMMIT
-      configRef: frontend.imageTag
+    - name: IMAGE_DIGEST
+      configRef: frontend.image.digest
+    - name: ARO_HCP_IMAGE_REPOSITORY
+      configRef: frontend.image.repository
     - name: SERVICE_KEY_VAULT
       configRef: serviceKeyVault.name
     - name: CERTIFICATE_NAME
diff --git a/get-digest.sh b/get-digest.sh
new file mode 100755
index 000000000..d132edea1
--- /dev/null
+++ b/get-digest.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+if [ "$#" -ne 2 ]
+then
+    echo "Need ARO_HCP_IMAGE_ACR and REPOSITORY parameters"
+    exit 1
+fi
+
+aro_hcp_image_acr=${1}
+repository=${2}
+
+if [ -n "${IMAGE_DIGEST_OVERRIDE}" ];
+then
+    echo ${IMAGE_DIGEST_OVERRIDE}
+    exit 0
+fi
+
+if [ -n "${IMAGE_DIGEST}" ];
+then
+    echo ${IMAGE_DIGEST}
+    exit 0
+fi
+
+
+tags=$(mktemp)
+trap "rm ${tags}" EXIT
+
+az acr repository show-tags --orderby time_desc --n ${aro_hcp_image_acr} --repository ${repository} --detail > $tags
+
+suggested_digest=$(jq -r --arg TAG $(git rev-parse --short=7 HEAD) \
+    'first(.[] | select(.name==$TAG) | .digest)' $tags)
+if [ -n "${suggested_digest}" ];
+then
+    echo ${suggested_digest}
+    exit 0
+fi
+
+jq -r 'first(.[] | .digest)' $tags
\ No newline at end of file
diff --git a/get-tag.sh b/get-tag.sh
deleted file mode 100755
index 7bcd73740..000000000
--- a/get-tag.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-if [ "$#" -ne 2 ]
-then
-    echo "Need ARO_HCP_IMAGE_ACR and REPOSITORY parameters"
-    exit 1
-fi
-
-aro_hcp_image_acr=${1}
-repository=${2}
-
-if [ -n "${COMMIT_OVERRIDE}" ];
-then
-    echo ${COMMIT_OVERRIDE}
-    exit 0
-fi
-
-if [ -n "${COMMIT}" ];
-then
-    echo ${COMMIT}
-    exit 0
-fi
-
-
-tags=$(mktemp)
-trap "rm ${tags}" EXIT
-
-az acr repository show-tags --orderby time_desc --n ${aro_hcp_image_acr} --repository ${repository} > $tags
-
-suggested_tag=$(grep $(git rev-parse --short=7 HEAD) $tags |cut -d '"' -f2)
-if [ -n "${suggested_tag}" ];
-then
-    echo ${suggested_tag}
-    exit 0
-fi
-
-grep '"' $tags | head -1 | cut -d '"' -f2