diff --git a/.github/workflows/docker-image-to-aws-ecr.yaml b/.github/workflows/docker-image-to-aws-ecr.yaml
index 8276c1b..fb1c4be 100644
--- a/.github/workflows/docker-image-to-aws-ecr.yaml
+++ b/.github/workflows/docker-image-to-aws-ecr.yaml
@@ -64,7 +64,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a # v2
+        uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2
         with:
           registries: ${{ inputs.AWS_ACCOUNT_ID }}
           mask-password: "true" # see: https://github.com/aws-actions/amazon-ecr-login#docker-credentials
diff --git a/.github/workflows/ecr-publish.yaml b/.github/workflows/ecr-publish.yaml
index 4a410b1..ffbe5a1 100644
--- a/.github/workflows/ecr-publish.yaml
+++ b/.github/workflows/ecr-publish.yaml
@@ -69,7 +69,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a # v2
+        uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2
         with:
           registry-type: public
 
diff --git a/.github/workflows/go-build.yaml b/.github/workflows/go-build.yaml
index 5edd03d..80c7f12 100644
--- a/.github/workflows/go-build.yaml
+++ b/.github/workflows/go-build.yaml
@@ -89,7 +89,7 @@ jobs:
         with:
           name: cover.out
       - name: Check test coverage
-        uses: vladopajic/go-test-coverage@f190f667e23b4441202d0bab0f8c2e7bce8925b6 # v2
+        uses: vladopajic/go-test-coverage@b7a53f8889e7246b7af7ad84e96a7c9704bf01fb # v2
         with:
           profile: cover.out
           local-prefix: github.com/org/project
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 6b01df2..bc0a688 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -34,7 +34,7 @@ jobs:
           EOF
 
       - name: Security check - Trivy
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ inputs.ENABLE_BANDIT || inputs.ENABLE_SAST }}
     container:
-      image: semgrep/semgrep@sha256:d7d67e1e0c0ed26278ab35f0be082f0afdfd7a880f4927aee86f8127fdbce617
+      image: semgrep/semgrep@sha256:7810f1d7884974ab6dda7bef8f4a2c8e165ea2142fd8260515d380e4f1407263
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - run: semgrep scan --config auto
\ No newline at end of file