diff --git a/.github/actions/attack/action.yml b/.github/actions/attack/action.yml
index fdd09a6..7fa9c8b 100644
--- a/.github/actions/attack/action.yml
+++ b/.github/actions/attack/action.yml
@@ -21,7 +21,7 @@ runs:
     # emits .wapiti/generated_reports/report.html
     # for now, base default scan
     - name: Wapiti Scan
-      uses: gipo355/vuln-docker-scanners-wapiti-action@v1.0.1
+      uses: gipo355/vuln-docker-scanners-wapiti-action@ac766eb164b45fe0cd7ee64097a343ead1b85d03 # v1.0.1
       with:
         target: "http://localhost:8080/tomcat-webapp-boilerplate/app"
         github_token: ${{ inputs.github_token }}