diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index 75e2385..a5de43d 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -49,12 +49,12 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         with:
           sarif_file: results.sarif
 
       - name: Persist SARIF for downstream score-gate job
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: scorecard-results
           path: results.sarif
@@ -67,7 +67,7 @@ jobs:
       contents: read
     steps:
       - name: Download SARIF from scorecard job
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5.0.0
         with:
           name: scorecard-results
 
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7466538..1d09320 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   scan:
-    uses: hyperpolymath/panic-attacker/.github/workflows/scan-and-report.yml@23b44b39698bfebce67b931d2a849281a3999812
+    uses: hyperpolymath/panic-attacker/.github/workflows/scan-and-report.yml@edbfcffec120a63fbf4cc393f1439d32589248d7
 
     secrets:
       VERISIMDB_PAT: ${{ secrets.VERISIMDB_PAT }}