diff --git a/.github/actions/check-pr-semver-labels/action.yml b/.github/actions/check-pr-semver-labels/action.yml
index abfbe1085..fed48afc9 100644
--- a/.github/actions/check-pr-semver-labels/action.yml
+++ b/.github/actions/check-pr-semver-labels/action.yml
@@ -21,7 +21,7 @@ runs:
   steps:
     - name: Retrieve semantic versioning labels on PR
       id: check_labels
-      uses: actions/github-script@v6.3.3
+      uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
       env:
         VALID_APP_VERSION_LABELS: patch, minor, major, ignore-for-release
         VALID_CHART_VERSION_LABELS: chart-patch, chart-minor, chart-major
diff --git a/.github/workflows/check_pr.yml b/.github/workflows/check_pr.yml
index 41e8e06f7..d263915e6 100644
--- a/.github/workflows/check_pr.yml
+++ b/.github/workflows/check_pr.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1
       - uses: ./.github/actions/check-pr-semver-labels
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml
index eae4efb61..e81b11e00 100644
--- a/.github/workflows/create_dashboard.yaml
+++ b/.github/workflows/create_dashboard.yaml
@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       # from https://github.com/pagopa/opex-dashboard-azure-action/
-      - uses: pagopa/opex-dashboard-azure-action@v1.1.2
+      - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2
         with:
           environment: ${{ matrix.environment }}
           api-name: ${{ matrix.infra }}/${{ matrix.product }} # empty to have `.opex/env` directory structure
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index e8052b1fb..b868198d6 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,7 +18,7 @@ jobs:
       semver_chart: ${{ steps.semver_labels.outputs.semver_chart }}
       skip_release: ${{ steps.semver_labels.outputs.skip_release }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           token: ${{ secrets.github_token }}
       - uses: ./.github/actions/check-pr-semver-labels
@@ -66,7 +66,7 @@ jobs:
           echo "SKIP_BUILD=${{ steps.configure_pipeline_parameters.outputs.SKIP_BUILD }}"
         shell: bash
       - name: Azure Pipelines Action
-        uses: jacopocarlini/azure-pipelines@v1.3
+        uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3
         with:
           azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects
           azure-pipeline-name: 'pagopa-ecommerce-transactions-service.deploy'
diff --git a/Dockerfile b/Dockerfile
index c5e281671..c79da00b4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:17-jdk as build
+FROM openjdk:17-jdk@sha256:528707081fdb9562eb819128a9f85ae7fe000e2fbaeaf9f87662e7b3f38cb7d8 as build
 WORKDIR /workspace/app
 
 RUN microdnf install git
@@ -17,7 +17,7 @@ COPY eclipse-style.xml eclipse-style.xml
 RUN ./mvnw install -DskipTests --offline
 RUN mkdir target/extracted && java -Djarmode=layertools -jar target/*.jar extract --destination target/extracted
 
-FROM openjdk:17-slim
+FROM openjdk:17-slim@sha256:aaa3b3cb27e3e520b8f116863d0580c438ed55ecfa0bc126b41f68c3f62f9774
 
 RUN addgroup --system user && adduser --ingroup user --system user
 USER user:user