diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8cc89cb3d..f29690001 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,13 +18,13 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up environment
         uses: ./.github/workflows/env
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
         with:
           languages: go
 
@@ -33,7 +33,7 @@ jobs:
           make TARGET_ARCH=${{ matrix.target_arch }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
         with:
             category: "/language:Go"
         timeout-minutes: 10
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 61f1eeda3..09f7f3d77 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -11,6 +11,6 @@ jobs:
       - name: Install codespell
         run: sudo apt-get install codespell
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Codespell
         run: make codespell
diff --git a/.github/workflows/env/action.yml b/.github/workflows/env/action.yml
index 3b15d1408..243a910c4 100644
--- a/.github/workflows/env/action.yml
+++ b/.github/workflows/env/action.yml
@@ -31,7 +31,7 @@ runs:
           libc6-arm64-cross qemu-user-binfmt libc6:arm64 \
           musl-dev:amd64 musl-dev:arm64 musl-tools binutils-aarch64-linux-gnu
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
       with:
         go-version-file: go.mod
         cache-dependency-path: go.sum
diff --git a/.github/workflows/push-docker-image.yml b/.github/workflows/push-docker-image.yml
index 6a3aa750a..9ed362be1 100644
--- a/.github/workflows/push-docker-image.yml
+++ b/.github/workflows/push-docker-image.yml
@@ -12,22 +12,22 @@ jobs:
     if: github.repository == 'open-telemetry/opentelemetry-ebpf-profiler'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: Set current timestamp tag
         id: tag
         run: |
           echo "tag=$(date +%Y%m%d%H%M)" >> $GITHUB_OUTPUT
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           push: true
           file: Dockerfile
diff --git a/.github/workflows/unit-test-on-pull-request.yml b/.github/workflows/unit-test-on-pull-request.yml
index 900d5f3f9..59a3a83f8 100644
--- a/.github/workflows/unit-test-on-pull-request.yml
+++ b/.github/workflows/unit-test-on-pull-request.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Check for changes in licenses of dependencies
@@ -31,14 +31,14 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Get linter version
         id: linter-version
         run: (echo -n "version="; make linter-version) >> "$GITHUB_OUTPUT"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
         env:
           GOARCH: ${{ matrix.target-arch }}
           CGO_ENABLED: 1
@@ -58,11 +58,11 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Cache coredump modules
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: tools/coredump/modulecache
           key: coredumps-${{ matrix.target_arch }}-${{ hashFiles('tools/coredump/testdata/*/*.json') }}
@@ -77,13 +77,13 @@ jobs:
   check-binary-blobs:
     name: Check for differences in the eBPF and Rust binary blobs
     runs-on: ubuntu-24.04
-    container: otel/opentelemetry-ebpf-profiler-dev:latest
+    container: otel/opentelemetry-ebpf-profiler-dev:latest@sha256:688e4651a9a482700836ff59ea00270b2c237bbcb2cf6b6c9daffcf29fa0a0cb
     defaults:
       run:
         shell: bash --login {0}
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Hash binary blobs
         run: |
           sha256sum support/ebpf/tracer.ebpf.release.* > binary-blobs.hash
@@ -115,13 +115,13 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Prepare integration test binaries for qemu tests
         run: make integration-test-binaries TARGET_ARCH=${{ matrix.target_arch }}
       - name: Upload integration test binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: integration-test-binaries-${{ matrix.target_arch }}
           path: support/*.test
@@ -154,7 +154,7 @@ jobs:
           - { target_arch: arm64, kernel: 6.12.16 }
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Install dependencies
         run: |
           sudo apt-get update -y
@@ -166,7 +166,7 @@ jobs:
           go install github.com/florianl/bluebox@v0.0.1
           sudo mv ~/go/bin/bluebox /usr/local/bin/.
       - name: Fetch integration test binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with: { name: "integration-test-binaries-${{ matrix.target_arch }}" }
       - name: Fetch precompiled kernel
         run: |
diff --git a/Dockerfile b/Dockerfile
index 5c2f0562e..71a273340 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:testing-20241223-slim
+FROM debian:testing-20241223-slim@sha256:2ed89b1e8012d945cfcc111fa1dc11a628edaa24b9af5d63d6935b5ee35d3377
 
 WORKDIR /agent