diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b6eb8556..57f83219 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,12 +13,13 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["main"]
+    branches:
+      - main
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["main"]
+    branches:
+      - main
   schedule:
-    - cron: "0 0 * * 1"
+    - cron: "0 21 * * 6"
 
 permissions:
   contents: read
diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
index 2827a494..080f7256 100644
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "0 21 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   hadolint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mdl.yml b/.github/workflows/mdl.yml
index 08c6986d..7402f3d3 100644
--- a/.github/workflows/mdl.yml
+++ b/.github/workflows/mdl.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "0 21 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   mdl:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rspec.yml b/.github/workflows/rspec.yml
index ba031a24..1de73a30 100644
--- a/.github/workflows/rspec.yml
+++ b/.github/workflows/rspec.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "0 21 * * 6"
 
+permissions:
+  contents: read
+
 env:
   POSTGRES_HOST_AUTH_METHOD: "trust"
   POSTGRES_USER: "runner"
@@ -18,9 +21,6 @@ env:
   SECRET_KEY_BASE: "919650e468e29e897a53ef239b6e0228f8b71ec6ed353b691d140945e98d0c6a63731811afc27b61b9094523740962499afabc6d7ad0c872f1d5b62472083a08"
   CI: "yes"
 
-permissions:
-  contents: read
-
 jobs:
   rspec:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 16d8792e..b94a5850 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -6,13 +6,14 @@ name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
+  branch_protection_rule: {}
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
-  schedule:
-    - cron: '20 7 * * 2'
   push:
-    branches: ["main"]
+    branches:
+      - main
+  schedule:
+    - cron: "0 21 * * 6"
 
 # Declare default permissions as read only.
 permissions: read-all
diff --git a/Dockerfile b/Dockerfile
index 706e9c52..7d1feaec 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.docker.com/library/ruby:3.3.0-slim as base
+FROM registry.docker.com/library/ruby:3.3.0-slim@sha256:763422273a15e307b044fcb3ad6b1ef6c290d2043ac73596842aba5659dc7318 as base
 
 LABEL maintainer="Igor Zubkov <igor.zubkov@gmail.com>"
 
@@ -44,8 +44,7 @@ COPY . .
 RUN bundle exec bootsnap precompile app/ lib/
 
 # Workaround for nokogiri and trivy
-RUN rm -f /usr/local/bundle/ruby/3.3.0/gems/nokogiri-1.15.5-x86_64-linux/dependencies.yml
-RUN rm -f /usr/local/bundle/ruby/3.3.0/gems/nokogiri-1.15.5/dependencies.yml
+RUN rm -f /usr/local/bundle/ruby/3.3.0/gems/nokogiri-1.16.0-x86_64-linux/dependencies.yml
 
 # Final stage for app image
 FROM base
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 00000000..e6403bde
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016-2024 Ihor Zubkov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..90098a77
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# EveMonk Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities against the following versions
+of EveMonk:
+
+| Version | Supported          |
+|---------| ------------------ |
+| main    | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to igor.zubkov@gmail.com. You should
+receive a response within 72 hours. If the issue is confirmed, we will release
+a patch as soon as possible depending on complexity but historically within a
+few days.