diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
index 5cc75dcec..af99d8b09 100644
--- a/.github/workflows/flawfinder.yml
+++ b/.github/workflows/flawfinder.yml
@@ -5,6 +5,9 @@
 
 name: flawfinder
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ "develop" ]
@@ -24,15 +27,15 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: flawfinder_scan
-        uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
+        uses: david-a-wheeler/flawfinder@c57197cd6061453f10a496f30a732bc1905918d1 # v2.0.19
         with:
           arguments: '--sarif ./'
           output: 'flawfinder_results.sarif'
 
       - name: Upload analysis results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@7434149006143a4d75b82a2f411ef15b03ccc2d7 # v4
         with:
           sarif_file: ${{github.workspace}}/flawfinder_results.sarif