diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
index f16ee679..09f73246 100644
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Re-Test Action
         uses: ./.github/actions/retest-action
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 00000000..628a596f
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,40 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 29 15 * * 0
+permissions: read-all
+jobs:
+  analysis:
+    name: Scorecard analysis
+    permissions:
+      id-token: write
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736  # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db  # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24  # v3.26.4
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 5de61efe..cfc3f90c 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,30 +10,39 @@ env:
 jobs:
   lint:
     name: Lint
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
-      - uses: ibiqlik/action-yamllint@v3
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+
+      - uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c  # v3.1.1
         with:
           format: auto
-      - uses: golangci/golangci-lint-action@v6
+          config_file: .yamllint.yaml
+
+      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86  # v6.1.0
         with:
           args: --verbose
           version: v1.57.1
+
   build:
     name: Build all linux architectures
     needs: lint
     runs-on: ubuntu-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Build on all supported architectures
         run: |
@@ -49,10 +58,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Install test binaries
         run: |
@@ -62,9 +72,9 @@ jobs:
       - name: test
         run: COVERALLS=1 ./test.sh
 
-      - name: Send coverage to coveralls
-        env:
+      - env:
           COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        name: Send coverage to coveralls
         run: |
           PATH=$PATH:$(go env GOPATH)/bin
           gover
@@ -76,9 +86,11 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+
       - name: test
         run: bash ./test.sh
diff --git a/.yamllint b/.yamllint.yaml
similarity index 85%
rename from .yamllint
rename to .yamllint.yaml
index 579bc221..802e8c8b 100644
--- a/.yamllint
+++ b/.yamllint.yaml
@@ -3,6 +3,7 @@ extends: default
 
 rules:
   document-start: disable
+  line-length: disable
   truthy:
     ignore: |
       .github/workflows/*.yml
diff --git a/README.md b/README.md
index 1ad32e24..7b0c2148 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,9 @@
 
 # CNI - the Container Network Interface
 
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2446/badge)](https://bestpractices.coreinfrastructure.org/projects/2446)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/containernetworking/cni/badge)](https://securityscorecards.dev/viewer/?uri=github.com/containernetworking/cni)
+
 ## What is CNI?
 
 CNI (_Container Network Interface_), a [Cloud Native Computing Foundation](https://cncf.io) project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.