diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index a1f4072..7e56a99 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -27,13 +27,18 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           ref: main
 
       - name: Render terraform docs and push changes back to PR
-        uses: terraform-docs/gh-actions@v1
+        uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0
         with:
           git-commit-message: "docs: Generate documentation in README.md"
           git-push-sign-off: "true"
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
index 42a71a5..e808475 100644
--- a/.github/workflows/markdownlint.yml
+++ b/.github/workflows/markdownlint.yml
@@ -27,6 +27,11 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
diff --git a/.github/workflows/trivy-vuln.yml b/.github/workflows/trivy-vuln.yml
index de03444..730cdb0 100644
--- a/.github/workflows/trivy-vuln.yml
+++ b/.github/workflows/trivy-vuln.yml
@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
           scan-type: fs
           format: sarif