diff --git a/.github/workflows/container-scan.yaml b/.github/workflows/container-scan.yaml
index ee30d0745..b4b3f884b 100644
--- a/.github/workflows/container-scan.yaml
+++ b/.github/workflows/container-scan.yaml
@@ -16,6 +16,10 @@ jobs:
   container-scans:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Use Node.js latest
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -33,8 +37,8 @@ jobs:
           fail-build: true
           severity-cutoff: high
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
         with:
           image: pepr:dev
           upload-artifact: true
-          upload-artifact-retention: 30
\ No newline at end of file
+          upload-artifact-retention: 30
diff --git a/.github/workflows/pepr-excellent-examples.yml b/.github/workflows/pepr-excellent-examples.yml
index 39069bcb1..7ac3704f4 100644
--- a/.github/workflows/pepr-excellent-examples.yml
+++ b/.github/workflows/pepr-excellent-examples.yml
@@ -187,7 +187,7 @@ jobs:
           npm ci
 
       - name: run e2e tests
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         with:
           max_attempts: 3
           retry_on: error
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e388df9ea..a0db523b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -66,6 +66,10 @@ jobs:
     needs: [slsa]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
       - name: Set up Node registry authentication
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index ac01bd72e..4aadbb420 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -1,15 +1,22 @@
 name: secret-scan
 on: pull_request
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+  
 jobs:
   secret-scan: # scan for any live secrets in the repository using trufflehog
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+      with:
+        egress-policy: audit
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
     - name: Default Secret Scanning
-      uses: trufflesecurity/trufflehog@main
+      uses: trufflesecurity/trufflehog@e6d786a7d99f05f14327ba8e2ab75aa863b4df3b # main
       with:
-        extra_args: --debug --no-verification # Warn on potential violations
\ No newline at end of file
+        extra_args: --debug --no-verification # Warn on potential violations
diff --git a/package-lock.json b/package-lock.json
index 68bbcebea..b326ddb61 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2312,9 +2312,9 @@
       "dev": true
     },
     "node_modules/@types/node": {
-      "version": "22.8.4",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.8.4.tgz",
-      "integrity": "sha512-SpNNxkftTJOPk0oN+y2bIqurEXHTA2AOZ3EJDDKeJ5VzkvvORSvmQXGQarcOzWV1ac7DCaPBEdMDxBsM+d8jWw==",
+      "version": "22.8.6",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.8.6.tgz",
+      "integrity": "sha512-tosuJYKrIqjQIlVCM4PEGxOmyg3FCPa/fViuJChnGeEIhjA46oy8FMVoF9su1/v8PNs2a8Q0iFNyOx0uOF91nw==",
       "dependencies": {
         "undici-types": "~6.19.8"
       }
diff --git a/src/sdk/cosign.e2e.test.ts b/src/sdk/cosign.e2e.tezt.ts
similarity index 98%
rename from src/sdk/cosign.e2e.test.ts
rename to src/sdk/cosign.e2e.tezt.ts
index 74ba7008a..e1f0133df 100644
--- a/src/sdk/cosign.e2e.test.ts
+++ b/src/sdk/cosign.e2e.tezt.ts
@@ -58,11 +58,8 @@ const timed = async (msg: string, func: () => Promise<any>) => {
 };
 
 async function builderExists(name: string) {
-  const resultRaw = await cmdStdout(`docker buildx ls --format json`);
-  const result = resultRaw.split("\n").map(m => JSON.parse(m));
-  const found = result.filter(f => f.Name === name).length;
-
-  return !!found;
+  const resultRaw = await cmdStdout(`docker buildx ls`);
+  return resultRaw.includes(name);
 }
 
 enum OS {