diff --git a/.github/workflows/reusable-container-scan.yml b/.github/workflows/reusable-container-scan.yml
index 97ce169..4ad6c29 100644
--- a/.github/workflows/reusable-container-scan.yml
+++ b/.github/workflows/reusable-container-scan.yml
@@ -80,7 +80,7 @@ jobs:
       #     nv-scanner-image: neuvector/scanner:5
       - name: Scan container image with Trivy
         if: ${{ inputs.trivy-enabled }}
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1    # v0.35.0
         with:
           image-ref: ${{ env.IMAGE_REF }}
           format: 'table'
diff --git a/.github/workflows/reusable-terraform-quality.yml b/.github/workflows/reusable-terraform-quality.yml
index 89918f6..23a257e 100644
--- a/.github/workflows/reusable-terraform-quality.yml
+++ b/.github/workflows/reusable-terraform-quality.yml
@@ -83,7 +83,7 @@ jobs:
       - name: Run TFLint
         run: tflint --recursive --format compact
       - name: Run Trivy IaC scan
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1    # v0.35.0
         with:
           scan-type: "config"
           format: "sarif"