diff --git a/.editorconfig b/.editorconfig
index b4d9ec4..2dc2678 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,3 +1,10 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+
 [*.sh]
 indent_style = tab
 indent_size = 4
diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml
index 695685c..2633810 100644
--- a/.github/linters/.markdown-lint.yml
+++ b/.github/linters/.markdown-lint.yml
@@ -1 +1,8 @@
-{ "MD013": null, "MD045": null, "MD040": null, "MD036": null, "MD041": null }
+{
+  "MD013": null,
+  "MD045": null,
+  "MD040": null,
+  "MD036": null,
+  "MD041": null,
+  "MD060": null,
+}
diff --git a/.github/workflows/do-test.yml b/.github/workflows/do-test.yml
index 5d609f1..f176a04 100644
--- a/.github/workflows/do-test.yml
+++ b/.github/workflows/do-test.yml
@@ -24,9 +24,11 @@ jobs:
           # - centos-stream-9-x64 # yum oomkill
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup doctl
-        uses: digitalocean/action-doctl@v2
+        uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
         with:
           token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
@@ -38,7 +40,10 @@ jobs:
         id: server_id
 
       - name: Move server to dedicated project
-        run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
+        run: doctl projects resources assign "$DIGITALOCEAN_PROJECT_ID" --resource=do:droplet:"$SERVER_ID"
+        env:
+          DIGITALOCEAN_PROJECT_ID: ${{ secrets.DIGITALOCEAN_PROJECT_ID }}
+          SERVER_ID: ${{ steps.server_id.outputs.value }}
 
       - name: Wait for server to boot
         run: sleep 90
@@ -53,7 +58,7 @@ jobs:
 
       - name: Setup remote server (Debian/Ubuntu)
         if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
-        uses: appleboy/ssh-action@v1.2.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         with:
           host: ${{ steps.server_ip.outputs.value }}
           username: root
@@ -62,7 +67,7 @@ jobs:
 
       - name: Setup remote server (Fedora)
         if: steps.server_os.outputs.value == 'fedora'
-        uses: appleboy/ssh-action@v1.2.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         with:
           host: ${{ steps.server_ip.outputs.value }}
           username: root
@@ -71,7 +76,7 @@ jobs:
 
       - name: Setup remote server (CentOS)
         if: steps.server_os.outputs.value == 'centos'
-        uses: appleboy/ssh-action@v1.2.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         with:
           host: ${{ steps.server_ip.outputs.value }}
           username: root
@@ -79,7 +84,7 @@ jobs:
           script: set -x && yum install -y git
 
       - name: Download repo and checkout current commit
-        uses: appleboy/ssh-action@v1.2.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         with:
           host: ${{ steps.server_ip.outputs.value }}
           username: root
@@ -87,7 +92,7 @@ jobs:
           script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }}
 
       - name: Run openvpn-install.sh in headless mode
-        uses: appleboy/ssh-action@v1.2.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         with:
           host: ${{ steps.server_ip.outputs.value }}
           username: root
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
index bdb1c2a..215f7d3 100644
--- a/.github/workflows/docker-test.yml
+++ b/.github/workflows/docker-test.yml
@@ -60,9 +60,11 @@ jobs:
     name: ${{ matrix.os.name }}
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Build server image
         run: |
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 2eabb91..6a04a2f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -21,7 +21,8 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Lint Code Base
-        uses: super-linter/super-linter@v7
+        uses: super-linter/super-linter@502f4fe48a81a392756e173e39a861f8c8efe056 # v8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update-easyrsa-hash.yml b/.github/workflows/update-easyrsa-hash.yml
index 7245e7a..d3cff5c 100644
--- a/.github/workflows/update-easyrsa-hash.yml
+++ b/.github/workflows/update-easyrsa-hash.yml
@@ -25,6 +25,7 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           token: ${{ secrets.PAT }}
+          persist-credentials: false
 
       - name: Extract version and update SHA256
         run: |
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..69f9cb1
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,8 @@
+# Test containers require root for OpenVPN NET_ADMIN capability
+AVD-DS-0002
+
+# Test containers don't need healthcheck
+AVD-DS-0026
+
+# False positive: yum clean all is present in the conditional but Trivy doesn't detect it
+AVD-DS-0015
diff --git a/FAQ.md b/FAQ.md
index cef7f2d..12dc709 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -35,7 +35,7 @@ up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf
 ```
 
-Centos 6, 7
+CentOS 6, 7
 
 ```
 script-security 2
@@ -43,7 +43,7 @@ up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
 down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
 ```
 
-Centos 8, Fedora 30, 31
+CentOS 8, Fedora 30, 31
 
 ```
 script-security 2
@@ -117,13 +117,13 @@ Sysctl options are at `/etc/sysctl.d/99-openvpn.conf`
 
 **Q:** How can I access computers the OpenVPN server's remote LAN?
 
-**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart OpenVPN. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
 
 ---
 
 **Q:** How can I add multiple users in one go?
 
-**A:** Here is a sample bash script to achieve this:
+**A:** Here is a sample Bash script to achieve this:
 
 ```sh
 userlist=(user1 user2 user3)
@@ -158,7 +158,7 @@ route-nopull
 route 10.0.0.0 255.0.0.0
 ```
 
-So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
+So for example - here it would route all traffic of `10.0.0.0/8` to the VPN. And the rest through the internet.
 
 ---
 
diff --git a/README.md b/README.md
index 2861931..30aadbc 100644
--- a/README.md
+++ b/README.md
@@ -211,7 +211,7 @@ Please open an issue before submitting a PR if you want to discuss a change, esp
 
 ### Code formatting
 
-We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/lint.yml).
+We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce Bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the [lint workflow configuration](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/lint.yml).
 
 ## Security and Encryption
 
diff --git a/biome.json b/biome.json
new file mode 100644
index 0000000..cd69666
--- /dev/null
+++ b/biome.json
@@ -0,0 +1,7 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json",
+  "formatter": {
+    "indentStyle": "space",
+    "indentWidth": 2
+  }
+}
diff --git a/test/Dockerfile.client b/test/Dockerfile.client
index a8121e3..6ce945a 100644
--- a/test/Dockerfile.client
+++ b/test/Dockerfile.client
@@ -5,7 +5,7 @@ FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Install OpenVPN client and testing tools
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     openvpn \
     iproute2 \
     iputils-ping \
diff --git a/test/Dockerfile.server b/test/Dockerfile.server
index acf6f0f..2cee391 100644
--- a/test/Dockerfile.server
+++ b/test/Dockerfile.server
@@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 # Install basic dependencies based on the OS
 RUN if command -v apt-get >/dev/null; then \
-        apt-get update && apt-get install -y \
+        apt-get update && apt-get install -y --no-install-recommends \
             iproute2 iptables curl procps systemd systemd-sysv \
         && rm -rf /var/lib/apt/lists/*; \
     elif command -v dnf >/dev/null; then \