diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml
index 31d5a78fe..519f6a708 100644
--- a/.github/actions/image_scan/action.yml
+++ b/.github/actions/image_scan/action.yml
@@ -32,7 +32,7 @@ runs:
     run: docker logout public.ecr.aws
 
   - name: Run Trivy vulnerability scanner on image
-    uses: aquasecurity/trivy-action@master
+    uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
     with:
       image-ref: ${{ inputs.image-ref }}
       severity: ${{ inputs.severity }}
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index 70302e309..b863c68cd 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -16,7 +16,7 @@ permissions:
   contents: read
 
 jobs:
-  changelog-check:
+  static-code-checks:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
@@ -24,6 +24,7 @@ jobs:
           fetch-depth: 0
           
       - name: Check CHANGELOG
+        if: always()
         run: |
           # Check if PR is from workflows bot or dependabot
           if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
@@ -52,6 +53,24 @@ jobs:
           echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
           exit 1
 
+      - name: Check for versioned GitHub actions
+        if: always()
+        run: |
+          # Get changed GitHub workflow/action files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
+          
+          if [ -n "$CHANGED_FILES" ]; then
+            # Check for any versioned actions, excluding comments and this validation script
+            VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
+            if [ -n "$VIOLATIONS" ]; then
+              echo "Found versioned GitHub actions. Use commit SHAs instead:"
+              echo "$VIOLATIONS"
+              exit 1
+            fi
+          fi
+          
+          echo "No versioned actions found in changed files"
+
   build:
     runs-on: ubuntu-latest
     strategy: