diff --git a/.dockerignore b/.dockerignore
index 8248486..91346c1 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,5 @@
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
 # local testing files that may contain secrets
 *.tmp.json
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 7bee87b..6d28536 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -114,7 +114,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3
+        uses: github/codeql-action/upload-sarif@ae9ef3a1d2e3413523c3741725c30064970cc0d4 # v3
         if: always()
         with:
           sarif_file: trivy-results.sarif
diff --git a/pkg/resource/version.go b/pkg/resource/version.go
index d82489e..afe318c 100644
--- a/pkg/resource/version.go
+++ b/pkg/resource/version.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+// SPDX-License-Identifier: Apache-2.0
+
 package resource
 
 import (