diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml
index 62c7d28..2c7bf78 100644
--- a/.github/workflows/ci-guardrails.yml
+++ b/.github/workflows/ci-guardrails.yml
@@ -117,7 +117,7 @@ jobs:
           echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT"
 
       - name: Run TruffleHog
-        uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6 # v3.94.3
+        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
         with:
           extra_args: --results=verified,unknown
           version: ${{ steps.versions.outputs.trufflehog }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de41681..b15207a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,7 +68,7 @@ jobs:
       # Scanning the SBOM is strictly more accurate than Trivy's own filesystem
       # heuristics, and the SBOM only exists after the build completes.
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: sbom
           scan-ref: target/bom_all.json
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 913011f..bdf2f38 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -73,7 +73,7 @@ jobs:
         run: ./mvnw -B -ntp -P integration-tests,generate-sbom,release -Dsigstore.skip=false -Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.json clean deploy
 
       - name: Scan SBOM for vulnerabilities
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: sbom
           scan-ref: target/bom_all.json