diff --git a/.github/workflows/db-migrations.yml b/.github/workflows/db-migrations.yml
index c8fad422..561cc170 100644
--- a/.github/workflows/db-migrations.yml
+++ b/.github/workflows/db-migrations.yml
@@ -36,7 +36,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: '1.19.x'
+          go-version: '1.21.x'
 
       - name: Check DB Migrations
         run: |
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
new file mode 100644
index 00000000..d08c52c1
--- /dev/null
+++ b/.github/workflows/fossa.yml
@@ -0,0 +1,42 @@
+# Copyright 2023 The Archivista Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Fossa Scan"
+
+on:
+    push:
+      branches: ["main"]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: ["main"]
+    schedule:
+      - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+    fossa-scan:
+      env:
+        FOSSA_API_KEY: ${{ secrets.fossaApiKey }}
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Checkout Code"
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Run FOSSA Scan"
+          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          with:
+            api-key: ${{ env.FOSSA_API_KEY }}
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index ce1d8d63..cb507260 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -13,7 +13,6 @@
 # limitations under the License.
 
 permissions:
-    id-token: write # This is required for requesting the JWT
     contents: read  # This is required for actions/checkout
 name: pipeline
 on:
@@ -26,6 +25,9 @@ on:
 jobs:
     fmt:
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
           pull_request: ${{ github.event_name == 'pull_request' }}
           step: static-analysis
@@ -34,6 +36,9 @@ jobs:
 
     static_analysis:
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
           pull_request: ${{ github.event_name == 'pull_request' }}
           step: static-analysis
@@ -43,6 +48,9 @@ jobs:
     tests:
         needs: [fmt, static_analysis]
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
             pull_request: ${{ github.event_name == 'pull_request' }}
             step: "tests"
@@ -79,7 +87,7 @@ jobs:
                 password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Download GoReleaser
-              run: go install github.com/goreleaser/goreleaser@latest
+              run: go install github.com/goreleaser/goreleaser@v1.23.0
 
             - name: Run GoReleaser
               uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
diff --git a/.github/workflows/update-pre-commit-hooks.yml b/.github/workflows/update-pre-commit-hooks.yml
index 4ea8361b..4f879646 100644
--- a/.github/workflows/update-pre-commit-hooks.yml
+++ b/.github/workflows/update-pre-commit-hooks.yml
@@ -22,6 +22,8 @@ on:
   schedule:
     # Run at 8:00 AM every day
     - cron: "0 8 * * *"
+permissions:
+  contents: read
 jobs:
   update-pre-commit-hooks:
     runs-on: ubuntu-latest
@@ -32,7 +34,7 @@ jobs:
           python-version: "3.11"
       - name: Install prerequisites
         run: |
-          pip install pre-commit
+          pip install pre-commit==3.6.0
       - name: Update pre-commit hooks
         run: |
           pre-commit autoupdate
diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml
index bf1bdf09..bf4c97c3 100644
--- a/.github/workflows/verify-licence.yml
+++ b/.github/workflows/verify-licence.yml
@@ -36,7 +36,7 @@ jobs:
           with:
             go-version: '1.19.x'
         - name: Install addlicense
-          run: go install github.com/google/addlicense@latest
+          run: go install github.com/google/addlicense@v1.1.1
         - name: Check license headers
           run: |
             set -e
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
index b880b2ec..47d1a640 100644
--- a/.github/workflows/witness.yml
+++ b/.github/workflows/witness.yml
@@ -28,9 +28,15 @@ on:
                 required: true
                 type: string
 
+permissions:
+  contents: read
+
 jobs:
     witness:
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          id-token: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
diff --git a/DEPENDENCY.md b/DEPENDENCY.md
new file mode 100644
index 00000000..015a05f0
--- /dev/null
+++ b/DEPENDENCY.md
@@ -0,0 +1,42 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy describes how Archivista maintainers consume third-party packages.
+
+## Scope
+
+This policy applies to all Archivista maintainers and all third-party packages used in the Archivista project.
+
+## Policy
+
+Archivista maintainers must follow these guidelines when consuming third-party packages:
+
+- Only use third-party packages that are necessary for the functionality of Archivista.
+- Use the latest version of all third-party packages whenever possible.
+- Avoid using third-party packages that are known to have security vulnerabilities.
+- Pin all third-party packages to specific versions in the Archivista codebase.
+- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
+
+## Procedure
+
+When adding a new third-party package to Archivista, maintainers must follow these steps:
+
+1. Evaluate the need for the package. Is it necessary for the functionality of Archivista?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Archivista codebase.
+5. Update the Archivista documentation to reflect the new dependency.
+
+## Enforcement
+
+This policy is enforced by the Archivista maintainers.
+Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the Archivista project lead on a case-by-case basis.
+
+## Credits
+
+This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
diff --git a/Dockerfile b/Dockerfile
index 91cdf391..12aa684f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,7 +21,7 @@ RUN --mount=target=. --mount=target=/root/.cache,type=cache \
     CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \
     file /out/archivista | grep "statically linked"
 
-FROM alpine
+FROM alpine:3.19.0@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 COPY --from=build /out/archivista /bin/archivista
 COPY --from=build /usr/local/bin/atlas /bin/atlas
 ADD entrypoint.sh /bin/entrypoint.sh
diff --git a/Dockerfile-dev b/Dockerfile-dev
index bff839eb..16bc30e1 100644
--- a/Dockerfile-dev
+++ b/Dockerfile-dev
@@ -17,5 +17,5 @@ WORKDIR /src
 RUN apk update && apk add --no-cache file git curl
 RUN curl -sSf https://atlasgo.sh | sh
 ENV GOMODCACHE /root/.cache/gocache
-RUN go install github.com/githubnemo/CompileDaemon@latest
+RUN go install github.com/githubnemo/CompileDaemon@v1.4.0
 ENTRYPOINT ["sh", "entrypoint-dev.sh"]
diff --git a/README.md b/README.md
index 783b1b92..012711a7 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,10 @@
   <img src="docs/assets/logo.png">
 </p>
 
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8280/badge)](https://www.bestpractices.dev/projects/8280)
+[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/archivista/badge)](https://api.securityscorecards.dev/projects/github.com/in-toto/archivista)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Farchivista.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Farchivista?ref=badge_shield&issueType=license)
+
 # Archivista
 
 Archivista is a graph and storage service for [in-toto](https://in-toto.io) attestations. Archivista enables the discovery
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 00000000..f93f2e6d
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,81 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-08-31T10:10:09.000Z'
+  last-updated: '2023-12-20'
+  last-reviewed: '2023-12-20'
+  commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
+  project-url: https://github.com/in-toto/archivista
+  project-release: 'v0.2.0'
+  changelog: https://github.com/in-toto/archivista/releases/tag/v0.2.0
+  license: https://github.com/in-toto/archivista/blob/main/LICENSE
+
+project-lifecycle:
+  status: active
+  roadmap: https://github.com/orgs/in-toto/projects/4/views/3
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/in-toto/archivista/MAINTAINERS.md
+  release-cycle: https://github.com/in-toto/archivista/releases
+
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/in-toto/archivista/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/in-toto/archivista/blob/main/CODE_OF_CONDUCT.md
+
+documentation:
+  - https://in-toto.io
+
+distribution-points:
+  - https://github.com/in-toto/archivista/releases
+
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: 2
+  tool-url: https://github.com/dependabot
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: false
+
+security-contacts:
+- type: email
+  value: security@testifysec.com
+  primary: true
+
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: security@testifysec.com
+  security-policy: https://github.com/in-toto/archivista/SECURITY.md
+
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/in-toto/archivista/go.mod
+  sbom:
+  - sbom-file: https://foo.bar/sbom
+    sbom-format: CycloneDX
+    sbom-url: https://foo.bar
+  dependencies-lifecycle:
+    policy-url: https://github.com/in-toto/archivista/SECURITY.md
+    comment: |
+      All dependencies are subject to the Archivista Security Policy.
+  env-dependencies-policy:
+    policy-url: https://github.com/in-toto/archivista/DEPENDENCY.md
+    comment: |
+      All dependencies are subject to the Archivista Dependency Policy.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..6aaf873a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+## Security Bulletins
+
+See current security bullentins on GitHub: https://github.com/in-toto/archivista/security/advisories
+
+For information regarding the security of this project please join:
+
+* in-toto-archivista on CNCF Slack
+
+## Reporting a Vulnerability
+
+Please use the below process to report a vulnerability to the project:
+
+Web Form:
+
+1. Please visit https://github.com/in-toto/archivista/security/advisories/new
+   * You will receive a confirmation email upon submission
+1. You may be contacted by a maintainer to further discuss the reported item
+   within 3 days. Please bear with us as we seek to understand the breadth
+   and scope of the reported problem, recreate it, and confirm if there is an
+   vulnerability present.
+
+This project follows a 30 day disclosure timeline.
+
+## Supported Versions
+
+Information regarding supported versions of this project can be found on
+in the below table:
+
+| Version | Supported |
+| --- | --- |
+| Latest | :white_check_mark: |
+| <= Latest - 2 | :x: |