diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 7a3a3ff..1cf61c6 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -16,7 +16,11 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Dependency review
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index d7a8489..8fa9aae 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -19,6 +19,15 @@ jobs:
     permissions:
         pull-requests: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index 684a5cc..d3ed04c 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -19,7 +19,20 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.osv.dev:443
+            api.scorecard.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            prod.app-api.stepsecurity.io:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4956fbb..d90cca7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,32 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            0.pool.ntp.org:443
+            api.apple-cloudkit.com:443
+            calendars.icloud.com:443
+            configuration.apple.com:443
+            fbs.smoot.apple.com:443
+            formulae.brew.sh:443
+            gateway.icloud.com:443
+            gdmf.apple.com:443
+            ghcr.io:443
+            github.com:443
+            gsa.apple.com:443
+            gsp-ssl.ls.apple.com:443
+            gspe35-ssl.ls.apple.com:443
+            init.itunes.apple.com:443
+            ipcdn.apple.com:443
+            mask-api.icloud.com:443
+            mesu.apple.com:443
+            metrics.icloud.com:443
+            ocsp.sectigo.com:80
+            ocsp2.apple.com:443
+            pancake.apple.com:443
+            pkg-containers.githubusercontent.com:443
+            updates.cdn-apple.com:443
+            xp.apple.com:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies