diff --git a/docker/lib/dependabot/docker/utils/credentials_finder.rb b/docker/lib/dependabot/docker/utils/credentials_finder.rb
index e945739faf4..d37fa86fbcd 100644
--- a/docker/lib/dependabot/docker/utils/credentials_finder.rb
+++ b/docker/lib/dependabot/docker/utils/credentials_finder.rb
@@ -1,8 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "aws-sdk-ecr"
 require "base64"
+require "sorbet-runtime"
 
 require "dependabot/credential"
 require "dependabot/errors"
@@ -16,6 +17,7 @@ class CredentialsFinder
         AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
         DEFAULT_DOCKER_HUB_REGISTRY = "registry.hub.docker.com"
 
+        sig { params(credentials: T::Array[Dependabot::Credential]).void }
         def initialize(credentials)
           @credentials = credentials
         end
@@ -32,14 +34,20 @@ def credentials_for_registry(registry_hostname)
           build_aws_credentials(registry_details)
         end
 
+        sig { returns(T.nilable(String)) }
         def base_registry
-          @base_registry ||= credentials.find do |cred|
-            cred["type"] == "docker_registry" && cred.replaces_base?
-          end
-          @base_registry ||= { "registry" => DEFAULT_DOCKER_HUB_REGISTRY, "credentials" => nil }
+          @base_registry ||= T.let(
+            credentials.find do |cred|
+              cred["type"] == "docker_registry" && cred.replaces_base?
+            end,
+            T.nilable(Dependabot::Credential)
+          )
+          @base_registry ||= Dependabot::Credential.new({ "registry" => DEFAULT_DOCKER_HUB_REGISTRY,
+                                                          "credentials" => nil })
           @base_registry["registry"]
         end
 
+        sig { params(registry: String).returns(T::Boolean) }
         def using_dockerhub?(registry)
           registry == DEFAULT_DOCKER_HUB_REGISTRY
         end
@@ -76,11 +84,11 @@ def build_aws_credentials(registry_details)
 
           # Otherwise, we need to use the provided Access Key ID and secret to
           # generate a temporary username and password
-          @authorization_tokens ||= {}
+          @authorization_tokens ||= T.let({}, T.nilable(T::Hash[String, String]))
           @authorization_tokens[registry_hostname] ||=
             ecr_client.get_authorization_token.authorization_data.first.authorization_token
           username, password =
-            Base64.decode64(@authorization_tokens[registry_hostname]).split(":")
+            Base64.decode64(T.must(@authorization_tokens[registry_hostname])).split(":")
           registry_details.merge(Dependabot::Credential.new({ "username" => username, "password" => password }))
         rescue Aws::Errors::MissingCredentialsError,
                Aws::ECR::Errors::UnrecognizedClientException,