diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 03b605a..88c4f6c 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Run Semgrep
-        uses: returntocorp/semgrep-action@v1
+        uses: returntocorp/semgrep-action@03e27a9dc9e8d6d68a6b5c5e73f0821ff4df1c46  # v1.25.0
         with:
           config: >-
             p/security-audit
@@ -30,7 +30,7 @@ jobs:
           generateSarif: true
 
       - name: Upload Semgrep SARIF results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@c7d0eebf0efb81753d773b54ee46f4278db8ab5d  # v3.25.12
         if: always()
         with:
           sarif_file: semgrep.sarif