diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index f3489c6..31dcdc6 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -8,6 +8,10 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   check:
     runs-on: ubuntu-latest
@@ -26,9 +30,13 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: setup tools
+      - name: check
         run: |
-          curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -m 1 -o -E "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
           tflint --init
+          make init fmt validate tflint
 
-      - run: make
+      - name: tfsec
+        uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          additional_args: --exclude-downloaded-modules
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a5c85d5..2d7d018 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.72.1
+    rev: v1.75.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/.tflint.hcl b/.tflint.hcl
index 633f479..6e27071 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -4,6 +4,6 @@ config {
 
 plugin "aws" {
   enabled = true
-  version = "0.14.0"
+  version = "0.17.1"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }