diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
index d2f6d5f..0ca0807 100644
--- a/.github/workflows/devskim.yml
+++ b/.github/workflows/devskim.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: '19 5 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: DevSkim
@@ -23,12 +26,12 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
       - name: Run DevSkim scanner
-        uses: microsoft/DevSkim-Action@v1
+        uses: microsoft/DevSkim-Action@a8a9e06bab570db990fe7351ae9d4d444b9489ca
 
       - name: Upload DevSkim scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@678fc3afe258fb2e0cdc165ccf77b85719de7b3c
         with:
           sarif_file: devskim-results.sarif
diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
index e0da22b..205de79 100644
--- a/.github/workflows/flawfinder.yml
+++ b/.github/workflows/flawfinder.yml
@@ -14,6 +14,9 @@ on:
   schedule:
     - cron: '23 11 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   flawfinder:
     name: Flawfinder
@@ -24,7 +27,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
       - name: flawfinder_scan
         uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
@@ -33,6 +36,6 @@ jobs:
           output: 'flawfinder_results.sarif'
 
       - name: Upload analysis results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@678fc3afe258fb2e0cdc165ccf77b85719de7b3c
         with:
           sarif_file: ${{github.workspace}}/flawfinder_results.sarif