diff --git a/.github/actions/build-nextjs-website/action.yaml b/.github/actions/build-nextjs-website/action.yaml
index 3f72e40e7..ceb24371f 100644
--- a/.github/actions/build-nextjs-website/action.yaml
+++ b/.github/actions/build-nextjs-website/action.yaml
@@ -54,7 +54,7 @@ runs:
   using: "composite"
   steps:
     - name: Download GitBook docs
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
       with:
         repository: pagopa/devportal-docs
         ref: docs/from-gitbook
diff --git a/.github/actions/deploy/action.yaml b/.github/actions/deploy/action.yaml
index a8faf7817..8da980683 100644
--- a/.github/actions/deploy/action.yaml
+++ b/.github/actions/deploy/action.yaml
@@ -74,7 +74,7 @@ runs:
       run: npm run compile
 
     - name: Download GitBook docs
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
       with:
         repository: pagopa/devportal-docs
         ref: docs/from-gitbook
diff --git a/.github/workflows/move_latest_tag.yaml b/.github/workflows/move_latest_tag.yaml
index 7bee4f6f8..c84f36cd9 100644
--- a/.github/workflows/move_latest_tag.yaml
+++ b/.github/workflows/move_latest_tag.yaml
@@ -12,7 +12,7 @@ jobs:
     if: ${{ startsWith(github.ref, 'refs/tags/') && !endsWith(github.ref, '@latest') }}
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
       
     - name: Get commit hash associated with the new tag
       id: get-commit
diff --git a/apps/chatbot/docker/app.Dockerfile b/apps/chatbot/docker/app.Dockerfile
index 323a8bff2..25f83559a 100644
--- a/apps/chatbot/docker/app.Dockerfile
+++ b/apps/chatbot/docker/app.Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/python:3.12
+FROM public.ecr.aws/lambda/python:3.12@sha256:a9852e85c0ab8baca42cfb7835de0d47acb8ae099fd3b90f2c574aa219cdc234
 ARG DEBIAN_FRONTEND=noninteractive
 
 ENV PYTHONPATH=$LAMBDA_TASK_ROOT
diff --git a/apps/chatbot/docker/app.local.Dockerfile b/apps/chatbot/docker/app.local.Dockerfile
index 532ebf0b7..9000b9ede 100644
--- a/apps/chatbot/docker/app.local.Dockerfile
+++ b/apps/chatbot/docker/app.local.Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.12.4-slim-bullseye
+FROM python:3.12.4-slim-bullseye@sha256:26ce493641ad3b1c8a6202117c31340c7bbb2dc126f1aeee8ea3972730a81dc6
 ARG DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && \
diff --git a/apps/chatbot/docker/compose.yaml b/apps/chatbot/docker/compose.yaml
index 349c71502..d71c5e036 100644
--- a/apps/chatbot/docker/compose.yaml
+++ b/apps/chatbot/docker/compose.yaml
@@ -18,7 +18,7 @@ services:
       - ntw
   
   dynamodb:
-    image: amazon/dynamodb-local:2.5.2
+    image: amazon/dynamodb-local:2.5.2@sha256:d7ebddeb60fa418bcda218a6c6a402a58441b2a20d54c9cb1d85fd5194341753
     environment:
       - AWS_ACCESS_KEY_ID=dummy
       - AWS_SECRET_ACCESS_KEY=dummy
@@ -29,7 +29,7 @@ services:
       - ntw
   
   redis:
-    image: redis/redis-stack:7.2.0-v13
+    image: redis/redis-stack:7.2.0-v13@sha256:2b000b938e407d14acafa9b7affd4c5a94ceeec572b25b15dcef0d3a6c064d7e
     ports:
       - "6379:6379"
       - "8001:8001"