diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml
index c0967d76..55a774c6 100644
--- a/.github/workflows/docker-publish-openclaw.yml
+++ b/.github/workflows/docker-publish-openclaw.yml
@@ -224,7 +224,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           format: 'sarif'
diff --git a/.github/workflows/docker-publish-x402-verifier.yml b/.github/workflows/docker-publish-x402-verifier.yml
index 8b027c76..68e7ea1f 100644
--- a/.github/workflows/docker-publish-x402-verifier.yml
+++ b/.github/workflows/docker-publish-x402-verifier.yml
@@ -97,7 +97,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
           format: 'sarif'