diff --git a/.devcontainer/debian-10/Dockerfile b/.devcontainer/debian-10/Dockerfile
index 6885c6e5a..62247ee60 100644
--- a/.devcontainer/debian-10/Dockerfile
+++ b/.devcontainer/debian-10/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:10
+FROM debian:10@sha256:46ca02d33c65ab188d6e56f26c323bf1aa9a99074f2f54176fdc3884304f58b8
 
 ARG CMAKE_VERSION="3.26.4"
 
diff --git a/.devcontainer/ubuntu-20.04/Dockerfile b/.devcontainer/ubuntu-20.04/Dockerfile
index 56d0a3f2b..9b1637cd4 100644
--- a/.devcontainer/ubuntu-20.04/Dockerfile
+++ b/.devcontainer/ubuntu-20.04/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:ed4a42283d9943135ed87d4ee34e542f7f5ad9ecf2f244870e23122f703f91c2
 
 ARG CMAKE_VERSION="3.26.4"
 
diff --git a/.devcontainer/ubuntu-22.04/Dockerfile b/.devcontainer/ubuntu-22.04/Dockerfile
index 78845543d..96ea97890 100644
--- a/.devcontainer/ubuntu-22.04/Dockerfile
+++ b/.devcontainer/ubuntu-22.04/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:2b7412e6465c3c7fc5bb21d3e6f1917c167358449fecac8176c6e496e5c1f05f
 
 ARG CMAKE_VERSION="3.26.4"
 
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 0cb7b3485..dc412d29d 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -6,3 +6,18 @@ updates:
       interval: "weekly"
     open-pull-requests-limit: 10
     rebase-strategy: disabled
+
+  - package-ecosystem: docker
+    directory: /.devcontainer/debian-10
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /.devcontainer/ubuntu-20.04
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /.devcontainer/ubuntu-22.04
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/buildmgr.yml b/.github/workflows/buildmgr.yml
index 7811d9246..fc0001a3c 100644
--- a/.github/workflows/buildmgr.yml
+++ b/.github/workflows/buildmgr.yml
@@ -38,6 +38,8 @@ on:
   release:
     types: [ published ]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7c465eabf..9ec855daa 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,6 +15,8 @@ on:
   push:
     branches: [ main ]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/cpp-linter.yml b/.github/workflows/cpp-linter.yml
index ffdc1fe22..2cb212a89 100644
--- a/.github/workflows/cpp-linter.yml
+++ b/.github/workflows/cpp-linter.yml
@@ -15,6 +15,8 @@ on:
       - '!**/docs/**/*'
       - '!**/*.md'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/global.yaml b/.github/workflows/global.yaml
index 884db6f68..349c12e17 100644
--- a/.github/workflows/global.yaml
+++ b/.github/workflows/global.yaml
@@ -3,6 +3,9 @@ on:
   pull_request:
   release:
     types: [ published ]
+
+permissions: read-all
+
 jobs:
   copyright:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
index 9b4c6dd3b..020475324 100644
--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@@ -6,6 +6,9 @@ on:
       - '.github/markdownlint.json'
       - '.github/markdownlint.jsonc'
       - '**/*.md'
+
+permissions: read-all
+
 jobs:
   markdown-lint:
     name: Lint markdown files
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 24e72e3e5..8dd6637ed 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: read-all
+
 jobs:
   buildmgr:
     if: github.repository == 'Open-CMSIS-Pack/devtools'
diff --git a/.github/workflows/packchk.yml b/.github/workflows/packchk.yml
index 616fdfe62..74e310a20 100644
--- a/.github/workflows/packchk.yml
+++ b/.github/workflows/packchk.yml
@@ -36,6 +36,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/packgen.yml b/.github/workflows/packgen.yml
index 13c5eb43e..005a88673 100644
--- a/.github/workflows/packgen.yml
+++ b/.github/workflows/packgen.yml
@@ -31,6 +31,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/projmgr.yml b/.github/workflows/projmgr.yml
index 729e39853..bea84bd61 100644
--- a/.github/workflows/projmgr.yml
+++ b/.github/workflows/projmgr.yml
@@ -32,6 +32,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/shared_matrix_prep.yml b/.github/workflows/shared_matrix_prep.yml
index 9c3cd20e6..79f9002f9 100644
--- a/.github/workflows/shared_matrix_prep.yml
+++ b/.github/workflows/shared_matrix_prep.yml
@@ -18,6 +18,8 @@ on:
       matrix:
         value: ${{ jobs.matrix_prep.outputs.matrix }}
 
+permissions: read-all
+
 jobs:
   matrix_prep:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/shared_setup_env.yml b/.github/workflows/shared_setup_env.yml
index 92ee00f76..877e4f62a 100644
--- a/.github/workflows/shared_setup_env.yml
+++ b/.github/workflows/shared_setup_env.yml
@@ -16,6 +16,8 @@ on:
         description: 'Artifact retention days 7 when nightly, else 1'
         value: ${{ jobs.config.outputs.retention_days }}
 
+permissions: read-all
+
 jobs:
   config:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/svdconv.yml b/.github/workflows/svdconv.yml
index 3fc1ce00d..9a5b9c373 100644
--- a/.github/workflows/svdconv.yml
+++ b/.github/workflows/svdconv.yml
@@ -28,6 +28,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/test_libs.yml b/.github/workflows/test_libs.yml
index 42e219e53..2c6e647d9 100644
--- a/.github/workflows/test_libs.yml
+++ b/.github/workflows/test_libs.yml
@@ -20,6 +20,8 @@ on:
       - '!**/docs/**/*'
       - '!**/*.md'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/unit_test_results.yml b/.github/workflows/unit_test_results.yml
index 519658a37..4e9a9d508 100644
--- a/.github/workflows/unit_test_results.yml
+++ b/.github/workflows/unit_test_results.yml
@@ -10,12 +10,17 @@ on:
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   publish-test-results:
     name: Publish Test Results
     runs-on: ubuntu-22.04
-    if: github.event.workflow_run.conclusion != 'skipped'
+    permissions:
+      checks: write
+      pull-requests: write
 
+    if: github.event.workflow_run.conclusion != 'skipped'
     steps:
       - name: Download and Extract Artifacts
         env: