diff --git a/.cspell.json b/.cspell.json
index 7daf9e3..59223a4 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -29,10 +29,12 @@
     "catthehacker",
     "cmdline",
     "codeowners",
+    "codeql",
     "commandlinetools",
     "containerd",
     "containerimage",
     "coreutils",
+    "cves",
     "dbus",
     "dckr",
     "dearmor",
@@ -110,6 +112,7 @@
     "pwsh",
     "quickview",
     "rubygems",
+    "sarif",
     "semgrep",
     "Sfrg",
     "shellcheck",
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 53b9747..24a41ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,8 +15,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  pull-requests: write
 
 env:
   REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }}
@@ -70,6 +68,11 @@ jobs:
   build:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
+      security-events: write
     strategy:
       matrix:
         targets: ${{ fromJson(needs.test.outputs.targets) }}
@@ -121,7 +124,31 @@ jobs:
           targets: ${{ matrix.targets }}
           sbom: true
           provenance: true
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
+
+      - name: Get the image tag
+        id: meta
+        run: |
+          printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '[.target[].tags[]][0]')" >> "$GITHUB_OUTPUT"
+
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
+        # kics-scan ignore-line
+        uses: docker/scout-action@v0.23.4
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tag }}
+          sarif-file: sarif.output.json
+          summary: false
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
+        # kics-scan ignore-line
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
 
       # # vulnerability scanning to verify PRs
       # - name: Docker Scout
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
index 9c390db..16c67d8 100644
--- a/.github/workflows/mega-linter.yml
+++ b/.github/workflows/mega-linter.yml
@@ -127,7 +127,7 @@ jobs:
             github.event_name == 'push' ||
             github.event.pull_request.head.repo.full_name == github.repository
           )
-        run: sudo chown -Rc $UID .git/
+        run: 'sudo chown -Rc $UID .git/'
 
       # kics-scan ignore-line
       - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a
diff --git a/README.md b/README.md
index f141ad5..b56ce14 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,7 @@ The easiest way is to add those lines in your `~/.actrc`:
 -P ubuntu-20.04=mauwii/ubuntu-act:20.04
 ```
 
-For further Informations about nektos/act and how to use it, take a 👀 at the [nektos
+For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the [nektos
 documentation📖][nektosDocs]
 
 ## How I run act on my M2-Max 💻
diff --git a/linux/ubuntu/Dockerfile b/linux/ubuntu/Dockerfile
index ee205f7..b2c7ac0 100644
--- a/linux/ubuntu/Dockerfile
+++ b/linux/ubuntu/Dockerfile
@@ -318,7 +318,7 @@ ENV PATH=/usr/local/go/bin:${PATH}
 RUN sed "s|^PATH=|PATH=/usr/local/go/bin:|mg" -i /etc/environment
 
 # add pulumi
-COPY --from=pulumi /root/.pulumi/bin/* /usr/local/bin/
+COPY --from=pulumi /root/.pulumi/bin /usr/local/bin/
 
 # add bicep
 COPY --from=bicep /usr/local/bin/bicep /usr/local/bin/bicep