diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index dfcaf50..58f2af8 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '25 21 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml
index 25fcb0e..95aa941 100644
--- a/.github/workflows/defender-for-devops.yml
+++ b/.github/workflows/defender-for-devops.yml
@@ -26,10 +26,17 @@ on:
   schedule:
     - cron: '43 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   MSDO:
     # currently only windows latest is supported
     runs-on: windows-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
 
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 3f53646..9256486 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml
index ea2d329..0893b3a 100644
--- a/.github/workflows/npm-publish-github-packages.yml
+++ b/.github/workflows/npm-publish-github-packages.yml
@@ -7,6 +7,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/Dockerfile b/Dockerfile
index 00b3f6f..714d5af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,9 @@ FROM node:20-alpine AS builder
 WORKDIR /app
 
 # Install system dependencies for Prisma (OpenSSL + libc compatibility)
-RUN apk add --no-cache openssl libc6-compat
+RUN apk add --no-cache \
+    openssl=3.* \
+    libc6-compat=1.*
 
 # Environment & NPM tuning
 ENV NPM_CONFIG_LOGLEVEL=warn \
@@ -57,7 +59,11 @@ WORKDIR /app
 ENV NODE_ENV=production \
     NEXT_TELEMETRY_DISABLED=1
 
-RUN apk add --no-cache openssl libc6-compat wget su-exec
+RUN apk add --no-cache \
+    openssl=3.* \
+    libc6-compat=1.* \
+    wget=1.* \
+    su-exec=0.2-r*
 
 # Non-root user for security
 RUN addgroup --system --gid 1001 nodejs && \
diff --git a/Dockerfile.prod b/Dockerfile.prod
index 76e728c..c15bc45 100644
--- a/Dockerfile.prod
+++ b/Dockerfile.prod
@@ -1,6 +1,8 @@
 FROM node:20-alpine AS builder
 WORKDIR /app
-RUN apk add --no-cache openssl libc6-compat
+RUN apk add --no-cache \
+    openssl=3.* \
+    libc6-compat=1.*
 ENV NPM_CONFIG_LOGLEVEL=warn \
     NPM_CONFIG_REGISTRY=https://registry.npmjs.org \
     NEXT_TELEMETRY_DISABLED=1
@@ -17,7 +19,10 @@ RUN npm prune --production
 FROM node:20-alpine AS runner
 WORKDIR /app
 ENV NODE_ENV=production APP_ENV=production NEXT_TELEMETRY_DISABLED=1
-RUN apk add --no-cache openssl libc6-compat wget
+RUN apk add --no-cache \
+    openssl=3.* \
+    libc6-compat=1.* \
+    wget=1.*
 COPY --from=builder /app/public ./public
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static