diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
index 6cd1b048b..843b4b2fe 100644
--- a/.github/workflows/sast.yml
+++ b/.github/workflows/sast.yml
@@ -15,8 +15,8 @@ jobs:
         language: [go, javascript-typescript]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: github/codeql-action/init@v3 # SECURITY(MEDIUM-007): TODO — pin to SHA
+      - uses: github/codeql-action/init@v4 # SECURITY(MEDIUM-007): TODO — pin to SHA
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/autobuild@v3 # SECURITY(MEDIUM-007): TODO — pin to SHA
-      - uses: github/codeql-action/analyze@v3 # SECURITY(MEDIUM-007): TODO — pin to SHA
+      - uses: github/codeql-action/autobuild@v4 # SECURITY(MEDIUM-007): TODO — pin to SHA
+      - uses: github/codeql-action/analyze@v4 # SECURITY(MEDIUM-007): TODO — pin to SHA