diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 9273c93..4f07629 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -29,8 +29,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: go/
       - name: run gosec
         uses: securego/gosec@master
@@ -48,22 +49,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: go/
       - name: run govulncheck
         uses: golang/govulncheck-action@v1
         with:
-           go-version-input: 1.19.0
-           go-package: ./...
+          go-version-input: 1.19.0
+          go-package: ./...
       # this action doesn't produce a SARIF report yet, so there's nothing to upload.
       # See: https://github.com/golang/go/issues/61347
   tfsec:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: terraform/
       - name: run tfsec
         uses: aquasecurity/tfsec-action@v1.0.0
@@ -81,8 +84,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: python/
       - uses: actions/setup-python@v4
         with:
@@ -110,8 +114,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: terraform/
       - name: run chekov
         uses: bridgecrewio/checkov-action@v12
@@ -129,8 +134,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: bicep/
       - name: run chekov
         uses: bridgecrewio/checkov-action@v12
@@ -150,8 +156,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: go/
       - name: codeql init
         uses: github/codeql-action/init@v2
@@ -172,8 +179,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: python/
       - name: codeql init
         uses: github/codeql-action/init@v2
@@ -194,8 +202,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           sparse-checkout: python/
       - uses: pypa/gh-action-pip-audit@v1.0.0
         with: