diff --git a/.github/workflows/add-issue-to-project.yml b/.github/workflows/add-issue-to-project.yml
index 22bc6a20..e15e2315 100644
--- a/.github/workflows/add-issue-to-project.yml
+++ b/.github/workflows/add-issue-to-project.yml
@@ -11,7 +11,7 @@ jobs:
   add-issue-to-project:
     runs-on: ubuntu-latest
     steps:
-      - uses: UCL-MIRSG/.github/actions/add-to-project@v0.38.0
+      - uses: UCL-MIRSG/.github/actions/add-to-project@37270c9d4ceb7872329515476c78654cdb5b6a83 # v0.38.0
         with:
           app-id: ${{ secrets.APP_ID }}
           app-pem: ${{ secrets.APP_PEM }}
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 3534abcb..1986a968 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -13,7 +13,7 @@ jobs:
   linting:
     runs-on: ubuntu-latest
     steps:
-      - uses: UCL-MIRSG/.github/actions/linting@v0
+      - uses: UCL-MIRSG/.github/actions/linting@561536e2ee67e89d148c1c9830c9debcf3a7ff07 # v0
         with:
           ansible-roles-config: ./meta/requirements.yml
           pre-commit-config: ./.pre-commit-config.yaml
diff --git a/.github/workflows/molecule-install-omero.yml b/.github/workflows/molecule-install-omero.yml
index 90c83080..a54b7c17 100644
--- a/.github/workflows/molecule-install-omero.yml
+++ b/.github/workflows/molecule-install-omero.yml
@@ -20,7 +20,7 @@ jobs:
       ANSIBLE_FORCE_COLOR: 1
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: ansible_collections/mirsg/infrastructure
 
diff --git a/.github/workflows/molecule-install-xnat.yml b/.github/workflows/molecule-install-xnat.yml
index 57d83336..3bce3131 100644
--- a/.github/workflows/molecule-install-xnat.yml
+++ b/.github/workflows/molecule-install-xnat.yml
@@ -28,7 +28,7 @@ jobs:
       ANSIBLE_FORCE_COLOR: 1
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: ansible_collections/mirsg/infrastructure
 
diff --git a/.github/workflows/molecule-monitoring.yml b/.github/workflows/molecule-monitoring.yml
index f989a68f..daff84e4 100644
--- a/.github/workflows/molecule-monitoring.yml
+++ b/.github/workflows/molecule-monitoring.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: ansible_collections/mirsg/infrastructure
 
diff --git a/.github/workflows/molecule-postgresql_upgrade.yml b/.github/workflows/molecule-postgresql_upgrade.yml
index b916816e..3cc6cb1b 100644
--- a/.github/workflows/molecule-postgresql_upgrade.yml
+++ b/.github/workflows/molecule-postgresql_upgrade.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           path: ansible_collections/mirsg/infrastructure
 
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
index 590132f1..cfaa774c 100644
--- a/.github/workflows/molecule.yml
+++ b/.github/workflows/molecule.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Run `molecule test`
-        uses: UCL-MIRSG/.github/actions/molecule-test@v0.40.0
+        uses: UCL-MIRSG/.github/actions/molecule-test@9a2274e191076c6e2062c04881c67e8df73bfb81 # v0.40.0
         with:
           scenario: ${{ matrix.scenario }}
           # yamllint disable-line rule:line-length
diff --git a/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml b/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml
index b7510b3e..aa58c090 100644
--- a/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml
+++ b/roles/monitoring_server/tasks/install_blackbox_exporter_container.yml
@@ -19,7 +19,7 @@
   community.docker.docker_container:
     name: blackbox-exporter
     hostname: blackbox-exporter
-    image: prom/blackbox-exporter
+    image: prom/blackbox-exporter@sha256:b04a9fef4fa086a02fc7fcd8dcdbc4b7b35cc30cdee860fdc6a19dd8b208d63e
     state: started
     user: "{{ monitoring_server_uid }}:{{ monitoring_server_gid }}"
     command: --config.file=/config/blackbox-exporter.yml
diff --git a/roles/monitoring_server/tasks/install_nginx_container.yml b/roles/monitoring_server/tasks/install_nginx_container.yml
index bebec310..63b03e49 100644
--- a/roles/monitoring_server/tasks/install_nginx_container.yml
+++ b/roles/monitoring_server/tasks/install_nginx_container.yml
@@ -66,7 +66,7 @@
   community.docker.docker_container:
     name: nginx
     hostname: nginx
-    image: nginx
+    image: nginx@sha256:ed6d2c43c8fbcd3eaa44c9dab6d94cb346234476230dc1681227aa72d07181ee
     state: started
     networks:
       - name: monitor-net