diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index 2315798..676a4ee 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -20,5 +20,5 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
 
diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml
index 3a05f81..45aebce 100644
--- a/.github/workflows/int.yml
+++ b/.github/workflows/int.yml
@@ -15,7 +15,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
       - name: Checkout
@@ -46,6 +46,6 @@ jobs:
           aws-region: us-west-2
       - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read
       - name: Integration test
-        uses: docker://ghcr.io/step-security/integration-test/int:latest
+        uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
         env:
           PAT: ${{ secrets.PAT }}
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
index 4bcb2ce..919ead0 100644
--- a/.github/workflows/scorecard-analysis.yml
+++ b/.github/workflows/scorecard-analysis.yml
@@ -24,6 +24,11 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 542388e..313ef15 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,6 +16,11 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
     - name: Set up Go