diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
index 02c956d8..b28b541d 100644
--- a/.github/workflows/build-test.yaml
+++ b/.github/workflows/build-test.yaml
@@ -8,12 +8,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Setting some default permissions for all jobs
+permissions:
+  contents: read
+  security-events: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
-      checks: write # for golangci/golangci-lint-action to annotate Pull Requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
@@ -35,6 +38,8 @@ jobs:
   code-scan:
     name: Code Scan
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -58,6 +63,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
+    permissions:
+      security-events: write
     steps:
       # We only need to checkout as govuln does the go setup...
       - name: Checkout code
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
index a5f9b8c9..de176bcb 100644
--- a/.github/workflows/helm-test.yaml
+++ b/.github/workflows/helm-test.yaml
@@ -11,11 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ee0fc273..92be465a 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-name:
     name: Generate a clean release name from the branch/tag
diff --git a/pkg/client/docker/path.go b/pkg/client/docker/path.go
index 636b150e..bb453df4 100644
--- a/pkg/client/docker/path.go
+++ b/pkg/client/docker/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	dockerReg = regexp.MustCompile(`(^(.*\.)?docker.com$)|(^(.*\.)?docker.io$)`)
+	dockerReg = regexp.MustCompile(`(^(.*\.)?docker\.com$)|(^(.*\.)?docker\.io$)`)
 )
 
 func (c *Client) IsHost(host string) bool {
diff --git a/pkg/client/gcr/path.go b/pkg/client/gcr/path.go
index 69b678ea..f24ce724 100644
--- a/pkg/client/gcr/path.go
+++ b/pkg/client/gcr/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	reg = regexp.MustCompile(`(^(.*\.)?gcr.io$|^(.*\.)?k8s.io$|^(.+)-docker.pkg.dev$)`)
+	reg = regexp.MustCompile(`(^(.*\.)?gcr\.io$|^(.*\.)?k8s\.io$|^(.+)-docker\.pkg\.dev$)`)
 )
 
 func (c *Client) IsHost(host string) bool {
diff --git a/pkg/client/quay/path.go b/pkg/client/quay/path.go
index 0510a292..db431038 100644
--- a/pkg/client/quay/path.go
+++ b/pkg/client/quay/path.go
@@ -6,7 +6,7 @@ import (
 )
 
 var (
-	reg = regexp.MustCompile(`(^(.*\.)?quay.io$)`)
+	reg = regexp.MustCompile(`(^(.*\.)?quay\.io$)`)
 )
 
 func (c *Client) IsHost(host string) bool {