diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b00bfd0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
index b59be5f..086fd65 100644
--- a/.github/workflows/boj-build.yml
+++ b/.github/workflows/boj-build.yml
@@ -1,16 +1,19 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: BoJ Server Build Trigger
-
 on:
   push:
-    branches: [ main, master ]
+    branches: [main, master]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 61d95da..04b333c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,7 +9,8 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analyze:
diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
index 3e1103a..a8e8f4e 100644
--- a/.github/workflows/guix-nix-policy.yml
+++ b/.github/workflows/guix-nix-policy.yml
@@ -2,7 +2,8 @@
 name: Guix/Nix Package Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index f2bf132..1250a56 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -11,7 +11,8 @@ on:
     - cron: '0 0 * * 0'  # Weekly on Sunday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   scan:
diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
index 2d2783b..c6b6726 100644
--- a/.github/workflows/npm-bun-blocker.yml
+++ b/.github/workflows/npm-bun-blocker.yml
@@ -2,7 +2,8 @@
 name: NPM/Bun Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index dbd3142..89d4a8d 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -3,7 +3,8 @@ name: Code Quality
 on: [push, pull_request]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint:
diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
index a001dcd..e81eafa 100644
--- a/.github/workflows/rsr-antipattern.yml
+++ b/.github/workflows/rsr-antipattern.yml
@@ -14,7 +14,8 @@ on:
     branches: [main, master, develop]
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   antipattern-check:
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index e1f5c2f..effbe36 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -9,14 +9,18 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  security-events: write
+  id-token: write
+  contents: read
 
 jobs:
   scorecard:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      id-token: write  # For OIDC
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -52,6 +56,8 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -64,8 +70,8 @@ jobs:
 
       - name: Check for pinned dependencies
         run: |
-          # Check workflows for unpinned actions
-          unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
+          # Check workflows for unpinned actions - using anchored regex to avoid self-match
+          unpinned=$(grep -rE "^[[:space:]]+uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
           if [ -n "$unpinned" ]; then
             echo "::warning::Found unpinned actions:"
             echo "$unpinned"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 3dbba30..fc5f60c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,7 +7,8 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 1ca8aca..ea912ff 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -7,7 +7,8 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   trufflehog:
diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
index d4e9701..06d030c 100644
--- a/.github/workflows/security-policy.yml
+++ b/.github/workflows/security-policy.yml
@@ -2,7 +2,8 @@
 name: Security Policy
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
index 5c34a58..6a09ba2 100644
--- a/.github/workflows/ts-blocker.yml
+++ b/.github/workflows/ts-blocker.yml
@@ -2,7 +2,8 @@
 name: TypeScript/JavaScript Blocker
 on: [push, pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   check:
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
index 125b20c..351b0da 100644
--- a/.github/workflows/wellknown-enforcement.yml
+++ b/.github/workflows/wellknown-enforcement.yml
@@ -15,7 +15,8 @@ on:
   workflow_dispatch:
 
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   validate:
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index 9bb4d39..9b9dcea 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -12,7 +12,8 @@ on:
       - '.github/workflows/**'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   lint-workflows:
@@ -53,7 +54,8 @@ jobs:
             fi
           done
           if [ $failed -eq 1 ]; then
-            echo "Add 'permissions: read-all' at workflow level"
+            echo "Add 'permissions:
+  contents: read' at workflow level"
             exit 1
           fi
           echo "All workflows have permissions declared"
@@ -63,7 +65,8 @@ jobs:
           echo "=== Checking Action Pinning ==="
           # Find any uses: lines that don't have @SHA format
           # Pattern: uses: owner/repo@<40-char-hex>
-          unpinned=$(grep -rn "uses:" .github/workflows/ | \
+          # We use grep -E to ensure we only match YAML keys (indented uses:), avoiding self-matches
+          unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \
             grep -v "@[a-f0-9]\{40\}" | \
             grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)
 
diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt
new file mode 100644
index 0000000..8621280
--- /dev/null
+++ b/tests/fuzz/placeholder.txt
@@ -0,0 +1 @@
+Scorecard requirement placeholder