diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 120dcb9c6a..855c463504 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM jetpackio/devbox:latest
+FROM jetpackio/devbox:latest@sha256:7e2e69b29d9e6292591e7b791160b9e02391044d5a2d71d5ce5a61774087f5a2
 
 # Installing your devbox project
 WORKDIR /code
diff --git a/.github/actions/setup-environment/action.yaml b/.github/actions/setup-environment/action.yaml
index d9da3100da..2ca81ad7d2 100644
--- a/.github/actions/setup-environment/action.yaml
+++ b/.github/actions/setup-environment/action.yaml
@@ -8,7 +8,7 @@ runs:
   using: "composite"
   steps:
     - name: clone BBL repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         repository: cloudfoundry/app-autoscaler-env-bbl-state
         ssh-key: ${{ inputs.ssh-key }}
diff --git a/.github/workflows/acceptance_tests_broker_close.yaml b/.github/workflows/acceptance_tests_broker_close.yaml
index 501f70d28c..be10eac9df 100644
--- a/.github/workflows/acceptance_tests_broker_close.yaml
+++ b/.github/workflows/acceptance_tests_broker_close.yaml
@@ -11,9 +11,9 @@ jobs:
     name: Cleanup deployments
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: app-autoscaler-release
           ref: main
diff --git a/.github/workflows/acceptance_tests_mta_close.yaml b/.github/workflows/acceptance_tests_mta_close.yaml
index 2eca2084d7..91fa11fbbd 100644
--- a/.github/workflows/acceptance_tests_mta_close.yaml
+++ b/.github/workflows/acceptance_tests_mta_close.yaml
@@ -11,9 +11,9 @@ jobs:
     name: Cleanup deployments
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: app-autoscaler-release
           ref: main
diff --git a/.github/workflows/acceptance_tests_reusable.yaml b/.github/workflows/acceptance_tests_reusable.yaml
index 869379ca24..4cafdb8738 100644
--- a/.github/workflows/acceptance_tests_reusable.yaml
+++ b/.github/workflows/acceptance_tests_reusable.yaml
@@ -45,7 +45,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: app-autoscaler-release
       - name: Setup environment for deployment
@@ -75,7 +75,7 @@ jobs:
       image: "${{ inputs.self_hosted_image }}"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: app-autoscaler-release
       - name: Setup environment for acceptance tests
@@ -105,7 +105,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: app-autoscaler-release
       - name: Setup environment for deployment cleanup
diff --git a/.github/workflows/asdf2devbox.yaml b/.github/workflows/asdf2devbox.yaml
index cf71577847..c61b7caa1a 100644
--- a/.github/workflows/asdf2devbox.yaml
+++ b/.github/workflows/asdf2devbox.yaml
@@ -20,7 +20,7 @@ jobs:
       #
       # For more information, see:
       # <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow>
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/bosh-release-checks.yaml b/.github/workflows/bosh-release-checks.yaml
index 4cd38266ae..795a14dacd 100644
--- a/.github/workflows/bosh-release-checks.yaml
+++ b/.github/workflows/bosh-release-checks.yaml
@@ -12,11 +12,11 @@ jobs:
     name: ensure gosub specs are up to date
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: sync-package-specs
         shell: bash
         run: |
@@ -39,12 +39,12 @@ jobs:
     name: Create Bosh Release
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Run Update
         shell: bash
         run: |
@@ -59,7 +59,7 @@ jobs:
 
       - name: Build Dev Release
         id: build
-        uses: orange-cloudfoundry/bosh-release-action@v2.1.0
+        uses: orange-cloudfoundry/bosh-release-action@a124f0c7eda59d3070c66507bcda21196d7e0a90 # v2.1.0
 
       - name: Compile Dev Release
         uses: cloudfoundry/bosh-compile-action@main
diff --git a/.github/workflows/bosh-templates.yaml b/.github/workflows/bosh-templates.yaml
index 811e1ec5d4..c75d829cee 100644
--- a/.github/workflows/bosh-templates.yaml
+++ b/.github/workflows/bosh-templates.yaml
@@ -12,10 +12,10 @@ jobs:
     name: Bosh Templates Test
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e9b6868caf..da9e99b62a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -29,7 +29,7 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
 
     permissions:
       actions: read
@@ -44,14 +44,14 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     - name: Trust my checkout
       run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,4 +64,4 @@ jobs:
         make build-all
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
diff --git a/.github/workflows/dependency-updates-post-processing.yaml b/.github/workflows/dependency-updates-post-processing.yaml
index 291b3c66e6..871bcb3605 100644
--- a/.github/workflows/dependency-updates-post-processing.yaml
+++ b/.github/workflows/dependency-updates-post-processing.yaml
@@ -22,7 +22,7 @@ jobs:
       #
       # For more information, see:
       # <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow>
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
           submodules: true
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 7a7eebc7c2..ded1727967 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -32,10 +32,10 @@ jobs:
     name: Build and Push app-autoscaler-release-${{ matrix.image_suffix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -43,7 +43,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.image_suffix }}
 
diff --git a/.github/workflows/java-ci-lint.yaml b/.github/workflows/java-ci-lint.yaml
index d85f04b70f..cc1f469f65 100644
--- a/.github/workflows/java-ci-lint.yaml
+++ b/.github/workflows/java-ci-lint.yaml
@@ -17,9 +17,9 @@ jobs:
   code-style:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Check Code Formatting
         run: |
diff --git a/.github/workflows/linters.yaml b/.github/workflows/linters.yaml
index 2de9c75a8c..89c42f28a6 100644
--- a/.github/workflows/linters.yaml
+++ b/.github/workflows/linters.yaml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
@@ -25,21 +25,21 @@ jobs:
         run: |
           make lint-go
       - name: shellcheck
-        uses: reviewdog/action-shellcheck@v1
+        uses: reviewdog/action-shellcheck@22f96e34e9185b642c5567cc26d1df952f5c9d10 # v1
         with:
           reporter: github-pr-review
       - name: actionlint
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@053c5cf55eed0ced1367cdc5e658df41db3a0cce # v1
         with:
           reporter: github-pr-review
       - name: Run Ruby linter
         run: |
           make lint-ruby
       - name: alex
-        uses: reviewdog/action-alex@v1
+        uses: reviewdog/action-alex@986cf7dd82e702f82b4173deaa793a849f5b719d # v1
         with:
           reporter: github-pr-review
       - name: markdownlint
-        uses: reviewdog/action-markdownlint@v0
+        uses: reviewdog/action-markdownlint@f901468edf9a3634dd39b35ba26cad0aad1a0bfd # v0
         with:
           reporter: github-pr-review
diff --git a/.github/workflows/manifest.yaml b/.github/workflows/manifest.yaml
index 7a5e325683..a7780ca326 100644
--- a/.github/workflows/manifest.yaml
+++ b/.github/workflows/manifest.yaml
@@ -19,10 +19,10 @@ jobs:
     name: Manifest Tests
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run Tests - Manifest
         run: |
diff --git a/.github/workflows/mysql.yaml b/.github/workflows/mysql.yaml
index 57a328100f..76f9ba42a5 100644
--- a/.github/workflows/mysql.yaml
+++ b/.github/workflows/mysql.yaml
@@ -21,7 +21,7 @@ jobs:
       DB_PASSWORD: root
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     continue-on-error: true
     name: Build suite=${{ matrix.suite }}, mysql=${{ matrix.mysql }}
     services:
@@ -39,7 +39,7 @@ jobs:
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: make build
         run: |
           make generate-openapi-generated-clients-and-servers
diff --git a/.github/workflows/openapi-specs-check.yaml b/.github/workflows/openapi-specs-check.yaml
index 8a8044176d..abe1284d68 100644
--- a/.github/workflows/openapi-specs-check.yaml
+++ b/.github/workflows/openapi-specs-check.yaml
@@ -5,10 +5,10 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
     - name: Get Repository content
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Validating OpenAPI Specifications
       shell: bash
       run: |
diff --git a/.github/workflows/postgres.yaml b/.github/workflows/postgres.yaml
index 0987d596b9..0d14ec0e7a 100644
--- a/.github/workflows/postgres.yaml
+++ b/.github/workflows/postgres.yaml
@@ -21,7 +21,7 @@ jobs:
       DB_PASSWORD: postgres
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     continue-on-error: true
     name: Build suite=${{ matrix.suite }}, postgres=${{ matrix.postgres }}
     services:
@@ -42,7 +42,7 @@ jobs:
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: make build
         env:
           POSTGRES_HOST: postgres
diff --git a/.github/workflows/tidy-go-mod.yaml b/.github/workflows/tidy-go-mod.yaml
index 45b6d588d0..d9402f2fa0 100644
--- a/.github/workflows/tidy-go-mod.yaml
+++ b/.github/workflows/tidy-go-mod.yaml
@@ -11,9 +11,9 @@ jobs:
     name: ensure that go mod tidy has run
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Trust my checkout
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
diff --git a/.github/workflows/update-all-golang-dependencies.yaml b/.github/workflows/update-all-golang-dependencies.yaml
index cd13a860e9..bc2479e97a 100644
--- a/.github/workflows/update-all-golang-dependencies.yaml
+++ b/.github/workflows/update-all-golang-dependencies.yaml
@@ -9,12 +9,12 @@ jobs:
     name: "go get -u"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main
+      image: ghcr.io/cloudfoundry/app-autoscaler-release-tools:main@sha256:b0b8601a28a802b6e5fe683147786db536580baf261a0834912ef1dfd0cb7ba1
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
           submodules: true
diff --git a/ci/dockerfiles/autoscaler-tools/Dockerfile b/ci/dockerfiles/autoscaler-tools/Dockerfile
index e39b1fbb64..8bb04420d2 100644
--- a/ci/dockerfiles/autoscaler-tools/Dockerfile
+++ b/ci/dockerfiles/autoscaler-tools/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:noble
+FROM ubuntu:noble@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
 MAINTAINER autoscaler-team
 
 ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"