diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 15d4fc4..dc58a47 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -26,7 +26,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - id: dsv
         # If using as a template outside of the actual repo, you sould reference like this instead:
         # uses: DelineaXPM/dsv-github-action@v1 # renovate: tag=v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be5347a..e49273d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       # https://github.com/magnetikonline/action-golang-cache
       - name: Setup Golang with cache
@@ -22,7 +22,7 @@ jobs:
         with:
           go-version-file: go.mod
       # https://github.com/magnetikonline/action-golang-
-      - uses: aquaproj/aqua-installer@61e2563dfe7674cbf74fe6ec212e444198a3bb00 # tag=v2.0.2
+      - uses: aquaproj/aqua-installer@fd2089d1f56724d6456f24d58605e6964deae124 # v2.3.2
         with:
           aqua_version: v2.21.3
           enable_aqua_install: true
@@ -36,7 +36,7 @@ jobs:
           version: latest
           args: init
       - name: docker-login
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
         with:
           username: ${{ secrets.DSV_DOCKER_USERNAME }}
           password: ${{ secrets.DSV_DOCKER_PASSWORD }}
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index 3942bcc..8bd4584 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -10,42 +10,49 @@ version: 0.1
 runtimes:
   enabled:
     - node@21.6.0
-    - python@3.11
+    - python@3.12.2
     - go@1.21.6 # make sure this matches what's in go.mod for this to work correctly.
 cli:
-  version: 1.19.0
+  version: 1.22.2
 plugins:
   sources:
     - id: trunk
-      ref: v1.2.1
+      ref: v1.6.1
       uri: https://github.com/trunk-io/plugins
 lint:
   enabled:
-    - actionlint@1.6.26
+    - checkov@3.2.191
+    - osv-scanner@1.8.2
+    - renovate@37.432.0
+    - trivy@0.53.0
+    - trufflehog@3.79.0
+    - actionlint@1.7.1
     - git-diff-check@SYSTEM
-    - gitleaks@8.18.1
-    - gofmt@1.16.7
-    - golangci-lint@1.55.2
+    - gitleaks@8.18.4
+    - gofmt@1.20.4
+    - golangci-lint@1.59.1
     - hadolint@2.12.0
-    - markdownlint@0.38.0
-    - prettier@3.2.4
-    - shellcheck@0.9.0
-    - shfmt@3.5.0
-    - taplo@0.8.1
-    - yamllint@1.28.0
+    - markdownlint@0.41.0
+    - prettier@3.3.3
+    - shellcheck@0.10.0
+    - shfmt@3.6.0
+    - taplo@0.9.2
+    - yamllint@1.35.1
   threshold:
     - linters: [markdownlint]
       level: high
   ignore:
     - linters: [ALL]
       paths:
-        - .devcontainer/library-scripts
         - .devcontainer/init
-        - vendor/*
-    - linters: [markdownlint]
-      paths:
-        # in progress changelog notes
-        - .changes/*.md
+        - vendor/**
+        - '**/*/mage_output_file.go'
+        - .artifacts/**
+        - .cache/**
     - linters: [yamllint]
       paths:
         - .changes/unreleased/*.yaml
+    - linters: [checkov, trufflehog, trivy]
+      paths:
+        - .changes/**
+        - .trunk/**