diff --git a/.github/workflows/check-executable-permissions.yml b/.github/workflows/check-executable-permissions.yml
index f0a4dfbc..fc6d4c01 100644
--- a/.github/workflows/check-executable-permissions.yml
+++ b/.github/workflows/check-executable-permissions.yml
@@ -1,10 +1,14 @@
 name: Enforce Script Executable Permissions
 
 on:
-  pull_request:
+  pull_request_target:
+    branches: [ "main" ]
     paths:
       - '**/run.sh'
       - '**/*.sh'
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
 
 jobs:
   permissions:
diff --git a/.github/workflows/preflight-checker-workflow.yml b/.github/workflows/preflight-checker-workflow.yml
index 6b573fb2..0820ceba 100644
--- a/.github/workflows/preflight-checker-workflow.yml
+++ b/.github/workflows/preflight-checker-workflow.yml
@@ -15,7 +15,7 @@ jobs:
     uses: qualcomm-linux/qli-actions/.github/workflows/multi-checker.yml@main
     with:
         repolinter: true # default: true
-        semgrep: false # default: true
+        semgrep: true # default: true
         copyright-license-detector: true # default: true
         pr-check-emails: true # default: true
 
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index ff790cd5..19f494c4 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -1,6 +1,11 @@
 name: Shell Lint
 
-on: [pull_request, push]
+on:
+  pull_request_target:
+    branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
 
 jobs:
   shellcheck: