diff --git a/.github/scorecard.yml b/.github/scorecard.yml
new file mode 100644
index 0000000000..2b949fe373
--- /dev/null
+++ b/.github/scorecard.yml
@@ -0,0 +1,17 @@
+annotations:
+  # Ignore test Dockerfiles that use dynamic base images (ARG BASE_IMAGE)
+  # These are intentionally unpinned for test flexibility across multiple OS versions
+  - checks:
+      - pinned-dependencies
+    reasons:
+      - reason: test-data
+        annotation: "Test Dockerfiles use dynamic ARG BASE_IMAGE for multi-platform/multi-OS testing"
+    path:
+      - "test/docker/nginx-official-image/apk/Dockerfile"
+      - "test/docker/nginx-official-image/deb/Dockerfile"
+      - "test/docker/nginx-oss/apk/Dockerfile"
+      - "test/docker/nginx-oss/deb/Dockerfile"
+      - "test/docker/nginx-oss/rpm/Dockerfile"
+      - "test/docker/nginx-plus/deb/Dockerfile"
+      - "test/docker/nginx-plus-and-nap/deb/Dockerfile"
+
diff --git a/.github/workflows/sbom-source.yml b/.github/workflows/sbom-source.yml
index 723f8302cd..57ea17505a 100644
--- a/.github/workflows/sbom-source.yml
+++ b/.github/workflows/sbom-source.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             fetch-tags: 'true'
-      
+
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
@@ -35,10 +35,10 @@ jobs:
           az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
-      
+
       - name: Generate SBOM Document
         id: sbom-src
-        uses: nginxinc/compliance-rules/.github/actions/sbom-source@main
+        uses: nginxinc/compliance-rules/.github/actions/sbom-source@361e2ac0a4f333150a3773a815aac632d32ffde9 # main
         with:
           product-name: ${{ github.event.repository.name }}
           release-version: ${{ github.ref_name }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 0f4357b3e3..7fe456731a 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -12,6 +12,10 @@ on:
     branches:
       - main
       - dev-v2
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all
diff --git a/dependencies.Dockerfile b/dependencies.Dockerfile
index b1b44dff9e..19e72b9888 100644
--- a/dependencies.Dockerfile
+++ b/dependencies.Dockerfile
@@ -3,11 +3,11 @@
 # Dependabot can keep this file up to date with latest containers.
 
 # Weaver is used to generate markdown docs, and enforce policies on the model.
-FROM otel/weaver:v0.13.2 AS weaver
+FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver
 
 # OPA is used to test policies enforced by weaver.
-FROM openpolicyagent/opa:1.2.0 AS opa
+FROM openpolicyagent/opa:1.2.0@sha256:96f7ee5dbcc634853c55e0fc6090fe421d8c853da967ee0246f98bd186e2083f AS opa
 
 # Semconv gen is used for backwards compatibility checks.
 # TODO(jsuereth): Remove this when no longer used.
-FROM otel/semconvgen:0.25.0 AS semconvgen
\ No newline at end of file
+FROM otel/semconvgen:0.25.0@sha256:9df7b8cbaa732277d64d0c0a8604d96bb6f5a36d0e96338cba5dced720c16485 AS semconvgen