diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 5170e5b..20e0de2 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -9,6 +9,8 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions: {}
+
 jobs:
   coverage:
     name: coverage
@@ -18,12 +20,14 @@ jobs:
       options: --security-opt seccomp=unconfined
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
       - name: Generate code coverage
         run: cargo tarpaulin --verbose --all-features --workspace --timeout 120 --out xml
       - name: Upload coverage report to codecov.io
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         with:
           token: ${{ secrets.CODECOV_TOKEN }} # required
           fail_ci_if_error: true
@@ -31,8 +35,10 @@ jobs:
   clippy_check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: Swatinem/rust-cache@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
       - name: Run Clippy
         run: cargo clippy --all-targets --all-features
         env:
@@ -42,5 +48,23 @@ jobs:
     name: Check semantic version compatibility
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: obi1kenobi/cargo-semver-checks-action@v2
\ No newline at end of file
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+    - uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2.8
+
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read # only needed for private repos
+      actions: read # only needed for private repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+
diff --git a/examples/jarm.rs b/examples/jarm.rs
index 8ce37fc..c97cb83 100644
--- a/examples/jarm.rs
+++ b/examples/jarm.rs
@@ -14,7 +14,7 @@ fn main() {
         }
     };
 
-    println!("JARM hash: {}", jarm_hash);
+    println!("JARM hash: {jarm_hash}");
     assert_eq!(jarm_hash, "27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c".to_string());
     println!("Done");
 }
\ No newline at end of file
diff --git a/src/lib.rs b/src/lib.rs
index f8411c9..3668211 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -308,7 +308,7 @@ pub fn build_packet(jarm_details: &PacketSpecification, rng: &dyn JarmRng) -> Ve
 
 pub fn pack_as_unsigned_char(n: usize) -> u8 {
     if n >= 256 {
-        panic!("Can't pack_as_unsigned_char {:?} as it is over 255", n)
+        panic!("Can't pack_as_unsigned_char {n:?} as it is over 255")
     }
     n as u8
 }
@@ -590,7 +590,7 @@ pub fn read_packet(data: Vec<u8>) -> JarmPart {
 // Convert bytes array to u32
 pub fn as_u32_be(array: &[u8]) -> u32 {
     if array.len() != 2 {
-        eprintln!("array = {:?}", array);
+        eprintln!("array = {array:?}");
         unimplemented!()  // not needed for now
     }
     ((array[0] as u32) << 8) + (array[1] as u32)
@@ -637,7 +637,7 @@ pub fn extract_extension_info(data: Vec<u8>, counter: usize) -> String {
     let alpn = find_extension(&types, values);
 
     let formatted_types = add_formatting_hyphen(&types);
-    format!("{}|{}", alpn, formatted_types)
+    format!("{alpn}|{formatted_types}")
 }
 
 fn data_has_errors(data: &[u8], counter: usize) -> bool {
@@ -673,7 +673,7 @@ pub fn find_extension(types: &[&[u8]], values: Vec<Option<&[u8]>>) -> String {
                 Some(y) => {
                     match std::str::from_utf8(&y[3..]) {
                         Ok(s) => return s.to_string(),
-                        Err(e) => panic!("Invalid UTF-8 sequence: {}", e),
+                        Err(e) => panic!("Invalid UTF-8 sequence: {e}"),
                     };
                 }
             }
@@ -715,7 +715,7 @@ pub fn version_byte(version: &str) -> char {
     let option = "abcdef".to_string();
     let version_index: usize = 3;
     let count: usize = match version.get(version_index..version_index+1) {
-        None => { panic!("version not expected {:?}", version)}
+        None => { panic!("version not expected {version:?}")}
         Some(str_count) => { usize::from_str(str_count).unwrap() }
     };
     option.chars().nth(count).unwrap()