diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
index 5398af9..a5a7a59 100644
--- a/.github/workflows/Semgrep.yml
+++ b/.github/workflows/Semgrep.yml
@@ -26,8 +26,9 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
+      # To update: docker manifest inspect returntocorp/semgrep:latest
+      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')