diff --git a/.github/workflows/__generate-dependabot-config.yml b/.github/workflows/__generate-dependabot-config.yml
index 3ae33db..66e3a28 100644
--- a/.github/workflows/__generate-dependabot-config.yml
+++ b/.github/workflows/__generate-dependabot-config.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   main:
     uses: ./.github/workflows/generate-dependabot-config.yml
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
index e18e4b5..5d59a28 100644
--- a/.github/workflows/__main-ci.yml
+++ b/.github/workflows/__main-ci.yml
@@ -6,6 +6,9 @@ on:
     tags: ["*"]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
index c208f47..f2c0ef3 100644
--- a/.github/workflows/__pull-request-ci.yml
+++ b/.github/workflows/__pull-request-ci.yml
@@ -5,6 +5,11 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
index a0fef63..9f27ad6 100644
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@@ -3,6 +3,11 @@ name: Internal - Common Continuous Integration tasks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
   linter:
     uses: ./.github/workflows/linter.yml
diff --git a/.github/workflows/__test-action-matrix-outputs.yml b/.github/workflows/__test-action-matrix-outputs.yml
index 65e61a8..6b7ca69 100644
--- a/.github/workflows/__test-action-matrix-outputs.yml
+++ b/.github/workflows/__test-action-matrix-outputs.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for set/get matrix outputs
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests-1:
     name: Arrange - Set first output
diff --git a/.github/workflows/__test-action-repository-owner-is-organization.yml b/.github/workflows/__test-action-repository-owner-is-organization.yml
index d9c2128..1672532 100644
--- a/.github/workflows/__test-action-repository-owner-is-organization.yml
+++ b/.github/workflows/__test-action-repository-owner-is-organization.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for repository-owner-is-organization action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Tests for repository-owner-is-organization action
diff --git a/.github/workflows/__test-action-slugify.yml b/.github/workflows/__test-action-slugify.yml
index ed9c456..65bcb73 100644
--- a/.github/workflows/__test-action-slugify.yml
+++ b/.github/workflows/__test-action-slugify.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for slugify action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Tests for slugify action
diff --git a/.github/workflows/generate-dependabot-config.yml b/.github/workflows/generate-dependabot-config.yml
index 4cc6bf7..0f20c31 100644
--- a/.github/workflows/generate-dependabot-config.yml
+++ b/.github/workflows/generate-dependabot-config.yml
@@ -28,6 +28,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   generate-dependabot-config:
     name: Generate Dependabot Config
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
index 689d893..40e59dd 100644
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -32,6 +32,11 @@ on:
       github-token:
         description: "Token for the repository. See https://github.com/actions/first-interaction#usage"
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   greeting:
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 6e0c87d..5e1d00e 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -17,6 +17,11 @@ on:
       github-token:
         description: 'Token for marking the status of linter run in the Checks section. See https://github.com/super-linter/super-linter#how-to-use'
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
   checks:
     runs-on: ${{ fromJson(inputs.runs-on) }}
@@ -27,7 +32,7 @@ jobs:
           fetch-depth: 0
 
       - name: 👕 Lint Code Base
-        uses: super-linter/super-linter/slim@v5
+        uses: super-linter/super-linter/slim@v6
         env:
           VALIDATE_ALL_CODEBASE: false
           LOG_LEVEL: WARN
diff --git a/.github/workflows/need-fix-to-issue.yml b/.github/workflows/need-fix-to-issue.yml
index 069961a..36dfd4b 100644
--- a/.github/workflows/need-fix-to-issue.yml
+++ b/.github/workflows/need-fix-to-issue.yml
@@ -9,6 +9,7 @@ on:
     branches:
       - "main"
   workflow_dispatch:
+    #checkov:skip=CKV_GHA_7: required
     inputs:
       manual-commit-ref:
         description: "The SHA of the commit to get the diff for"
@@ -32,6 +33,10 @@ on:
         type: string
         required: false
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   need-fix-to-issue:
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
@@ -39,7 +44,7 @@ jobs:
       - uses: "actions/checkout@v4"
 
       - name: "TODO to Issue"
-        uses: "alstr/todo-to-issue-action@v4.12"
+        uses: "alstr/todo-to-issue-action@v4.13"
         with:
           IDENTIFIERS: |
             [
diff --git a/.github/workflows/release-actions.yml b/.github/workflows/release-actions.yml
index 11194cb..2b10c9f 100644
--- a/.github/workflows/release-actions.yml
+++ b/.github/workflows/release-actions.yml
@@ -29,6 +29,9 @@ on:
       github-app-key:
         description: "GitHub App private key to generate GitHub token in place of github-token. See https://github.com/actions/create-github-app-token"
 
+permissions:
+  contents: read
+
 jobs:
   prepare-release:
     runs-on: ${{ fromJson(inputs.runs-on) }}
@@ -47,7 +50,7 @@ jobs:
 
       - id: changed-files
         if: ${{ inputs.update-all == false }}
-        uses: tj-actions/changed-files@v42.0.2
+        uses: tj-actions/changed-files@v44.0.0
         with:
           files: |
             ./actions/*
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index f69ee51..7d95af1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -41,6 +41,10 @@ on:
         type: string
         required: false
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
diff --git a/Dockerfile b/Dockerfile
index 0b056d7..c15ca27 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,10 @@
+#checkov:skip=CKV_DOCKER_2: required
 FROM ghcr.io/super-linter/super-linter:slim-v6
 
+ARG UID=1000
+ARG GID=1000
+USER ${UID}:${GID}
+
 ENV RUN_LOCAL=true 
 ENV USE_FIND_ALGORITHM=true
 ENV LOG_LEVEL=WARN
diff --git a/Makefile b/Makefile
index 7374be4..ceeceea 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@ lint: ## Execute linting
 	DEFAULT_WORKSPACE="$(CURDIR)"; \
 	LINTER_IMAGE="linter:latest"; \
 	VOLUME="$$DEFAULT_WORKSPACE:$$DEFAULT_WORKSPACE"; \
-	docker build --tag $$LINTER_IMAGE .; \
+	docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g)  --tag $$LINTER_IMAGE .; \
 	docker run \
 		-e DEFAULT_WORKSPACE="$$DEFAULT_WORKSPACE" \
 		-e FILTER_REGEX_INCLUDE="$(filter-out $@,$(MAKECMDGOALS))" \