diff --git a/.editorconfig b/.editorconfig
index 37d38bb..0f17867 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -6,4 +6,4 @@ end_of_line = lf
 indent_size = 2
 indent_style = space
 insert_final_newline = true
-trim_trailing_whitespace = true
\ No newline at end of file
+trim_trailing_whitespace = true
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6593ffa..efec4aa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -28,4 +28,3 @@ updates:
       include: "scope"
     cooldown:
       default-days: 7
-
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 9a058fd..714d0df 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -54,7 +54,7 @@ jobs:
           ccache -p
 
       - name: Get latest node version
-        run: echo "LATEST_VERSION=$(curl -fsSLo- --compressed https://nodejs.org/dist/index.json | jq '.[].version' | tr -d '"' | tr -d 'v' | head -1)" >> $GITHUB_ENV
+        run: echo "LATEST_VERSION=$(curl -fsSLo- --compressed https://nodejs.org/dist/index.json | jq '.[].version' | tr -d '"' | tr -d 'v' | head -1)" >> "$GITHUB_ENV"
 
       - name: Display Node Version
         run: |
@@ -64,9 +64,9 @@ jobs:
         run: |
           export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH"
           which gcc
-          ./build.sh -n $LATEST_VERSION
+          ./build.sh -n "$LATEST_VERSION"
           ccache -s
-          cp node-v$LATEST_VERSION/out/Release/node node
+          cp "node-v${LATEST_VERSION}/out/Release/node" node
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 29e9ecb..f16a54e 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -42,7 +42,7 @@ jobs:
 
       - name: Shellcheck
         run: |
-          shellcheck *.sh
+          shellcheck ./*.sh
           shellcheck test/*.bats
 
   markdownlint:
diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml
index 9e0c154..fe3c427 100644
--- a/.github/workflows/update-current-image.yml
+++ b/.github/workflows/update-current-image.yml
@@ -47,7 +47,7 @@ jobs:
           else
             NODE_VERSION=$(./check-missing-versions.sh | tail -1)
           fi
-          echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_OUTPUT
+          echo "NODE_VERSION=$NODE_VERSION" >> "$GITHUB_OUTPUT"
           if [[ -n "$NODE_VERSION" ]]; then
             echo "Building Node.js version: $NODE_VERSION"
           else
@@ -99,17 +99,17 @@ jobs:
 
       - name: Set and Display Versions
         run: |
-          MAJOR_VERSION=$(echo $NODE_VERSION | cut -d'.' -f 1)
-          echo "MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_ENV
+          MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1)
+          echo "MAJOR_VERSION=$MAJOR_VERSION" >> "$GITHUB_ENV"
           echo "Building Node.js version: $NODE_VERSION (major: $MAJOR_VERSION)"
 
       - name: Build Node
         run: |
           export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH"
           which gcc
-          ./build.sh -n $NODE_VERSION
+          ./build.sh -n "$NODE_VERSION"
           ccache -s
-          cp node-v$NODE_VERSION/out/Release/node node
+          cp "node-v${NODE_VERSION}/out/Release/node" node
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
@@ -181,7 +181,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set major version
-        run: echo "MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1)" >> $GITHUB_ENV
+        run: echo "MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1)" >> "$GITHUB_ENV"
 
       - name: Create DockerHub multi-arch manifests
         env:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f74e217..acad499 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,9 +1,28 @@
 repos:
-  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.11.0
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.9
     hooks:
-      - id: shellcheck
-        files: \.(sh|bats)$
+      - id: actionlint
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.23.1
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/DavidAnson/markdownlint-cli2
+    rev: v0.22.1
+    hooks:
+      - id: markdownlint-cli2-docker
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-merge-conflict
+      - id: check-added-large-files
+      - id: mixed-line-ending
 
   - repo: https://github.com/scop/pre-commit-shfmt
     rev: v3.13.1-1
@@ -12,7 +31,13 @@ repos:
         args: [-sr, -i, '2', -w, -ci]
         files: \.(sh|bats)$
 
-  - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.22.1
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
     hooks:
-      - id: markdownlint-cli2-docker
+      - id: shellcheck
+        files: \.(sh|bats)$
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.9.0
+    hooks:
+      - id: zizmor