diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 49ba8e6..e346f3d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,8 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
-    schedule:
-      interval: "monthly"
     target-branch: "develop"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 4
diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml
index a187c3a..fabc728 100644
--- a/.github/workflows/issue_to_jira.yml
+++ b/.github/workflows/issue_to_jira.yml
@@ -4,10 +4,18 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   call-workflow-create-jira-issue:
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main
-    secrets: inherit
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@v2
+    permissions:
+      contents: read
+      issues: write
     with:
       project-key: 'GEOPY'
       components: '[{"name": "OMF"}]'
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml
index 794bf3f..2427315 100644
--- a/.github/workflows/pr_add_jira_summary.yml
+++ b/.github/workflows/pr_add_jira_summary.yml
@@ -1,10 +1,18 @@
 name: Add JIRA issue summary
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened]
 
+permissions: {}
+
 jobs:
   call-workflow-add-jira-issue-summary:
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main
-    secrets: inherit
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@v2
+    permissions:
+      contents: read
+      pull-requests: write
+    secrets:
+      JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
diff --git a/.github/workflows/python_analysis.yml b/.github/workflows/python_analysis.yml
index 9db19bd..e617b24 100644
--- a/.github/workflows/python_analysis.yml
+++ b/.github/workflows/python_analysis.yml
@@ -17,6 +17,8 @@ on:
       - feature/**
       - hotfix/**
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -24,14 +26,20 @@ concurrency:
 jobs:
   call-workflow-static-analysis:
     name: Static analysis
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@v2
+    permissions:
+      contents: read
+      pull-requests: read
     with:
       package-manager: 'poetry'
       app-name: 'omf'
       python-version: '3.10'
   call-workflow-pytest:
     name: Pytest
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@v2
+    permissions:
+      contents: read
+      pull-requests: read
     with:
       package-manager: 'poetry'
       python-versions: '["3.10", "3.11", "3.12"]'
diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml
index f467dfa..de15e8e 100644
--- a/.github/workflows/python_deploy_dev.yml
+++ b/.github/workflows/python_deploy_dev.yml
@@ -5,6 +5,8 @@ on:
     tags:
       - 'v*' # Push events to every version tag (eg. v1.0.0)
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
@@ -12,7 +14,9 @@ concurrency:
 jobs:
   call-workflow-conda-publish:
     name: Publish development conda package on JFrog Artifactory
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@v2
+    permissions:
+      contents: write
     with:
       package-name: 'mira-omf'
       python-version: '3.10'
@@ -24,7 +28,9 @@ jobs:
       JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }}
   call-workflow-pypi-publish:
     name: Publish development pypi package (JFrog Artifactory, TestPyPI)
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@v2
+    permissions:
+      contents: write
     with:
       package-manager: 'poetry'
       package-name: 'mira-omf'
diff --git a/.github/workflows/python_deploy_prod.yml b/.github/workflows/python_deploy_prod.yml
index b94c2ba..229d920 100644
--- a/.github/workflows/python_deploy_prod.yml
+++ b/.github/workflows/python_deploy_prod.yml
@@ -19,6 +19,8 @@ on:
         type: boolean
         default: true
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }}
   cancel-in-progress: true
@@ -27,7 +29,9 @@ jobs:
   call-workflow-conda-release:
     name: Publish production Conda package on JFrog Artifactory
     if: ${{ github.event_name == 'release' || github.event.inputs.publish-conda == 'true' }}
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@v2
+    permissions:
+      contents: write
     with:
       virtual-repo-names: '["public-noremote-conda-prod"]'
       release-tag: ${{ github.event.release.tag_name || github.event.inputs.release-tag }}
@@ -37,7 +41,9 @@ jobs:
   call-workflow-pypi-release:
     name: Publish production PyPI package (JFrog Artifactory, PyPI)
     if: ${{ github.event_name == 'release' || github.event.inputs.publish-pypi == 'true' }}
-    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@main
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@v2
+    permissions:
+      contents: write
     with:
       package-name: 'mira-omf'
       virtual-repo-names: '["public-pypi-prod", "pypi"]'
diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml
new file mode 100644
index 0000000..0060b34
--- /dev/null
+++ b/.github/workflows/security_scan.yml
@@ -0,0 +1,43 @@
+name: Security Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - develop
+      - main
+      - release/**
+      - feature/**
+      - hotfix/**
+  push:
+    branches:
+      - develop
+      - main
+      - release/**
+      - feature/**
+      - hotfix/**
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  call-workflow-zizmor-annotate:
+    name: Zizmor analysis (advanced security)
+    if: ${{ github.event_name != 'pull_request' }}
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-advanced-security.yml@v2
+
+  call-workflow-zizmor-advanced-security:
+    name: Zizmor analysis (annotate)
+    if: ${{ github.event_name == 'pull_request' }}
+    permissions:
+      checks: write
+      contents: read
+      actions: read
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-annotate.yml@v2
diff --git a/zizmor.yml b/zizmor.yml
new file mode 100644
index 0000000..01c57e8
--- /dev/null
+++ b/zizmor.yml
@@ -0,0 +1 @@
+rules: