diff --git a/.github/actions/publish-docker/action.yml b/.github/actions/publish-docker/action.yml
index fe9b510..cc637ad 100644
--- a/.github/actions/publish-docker/action.yml
+++ b/.github/actions/publish-docker/action.yml
@@ -83,7 +83,7 @@ runs:
         push: false # push after the security scans below
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
       with:
         image-ref: ${{ env.docker_image }}
         format: sarif
diff --git a/.github/workflows/check-code-quality.yml b/.github/workflows/check-code-quality.yml
index 6049241..f8ef7f9 100644
--- a/.github/workflows/check-code-quality.yml
+++ b/.github/workflows/check-code-quality.yml
@@ -73,7 +73,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: fs
           ignore-unfixed: true