diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index ee08d2a..6e96e31 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -10,7 +10,13 @@ jobs:
   cppcheck:
     name: C/C++ Static Analysis
     runs-on: anvil
+    container:
+      image: docker.io/library/debian:bookworm-slim
     steps:
+      - name: Install tools
+        run: |
+          apt-get update && apt-get install -y --no-install-recommends git cppcheck ca-certificates
+
       - name: Checkout
         run: |
           git clone --depth=1 --branch=${{ github.ref_name }} \
@@ -28,39 +34,47 @@ jobs:
   flawfinder:
     name: Security Flaw Analysis
     runs-on: anvil
+    container:
+      image: docker.io/library/python:3.12-slim
     steps:
+      - name: Install tools
+        run: |
+          apt-get update && apt-get install -y --no-install-recommends git ca-certificates
+          pip install --no-cache-dir flawfinder
+
       - name: Checkout
         run: |
           git clone --depth=1 --branch=${{ github.ref_name }} \
             https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
 
-      - name: Install and run flawfinder
+      - name: Run flawfinder
         run: |
-          python3 -m pip install --user flawfinder
-          ~/.local/bin/flawfinder --minlevel=2 --error-level=4 \
+          flawfinder --minlevel=2 --error-level=4 \
             get-started/csi_recv_router/main/
 
   gitleaks:
     name: Secret Scanning
     runs-on: anvil
+    container:
+      image: docker.io/zricethezav/gitleaks:latest
     steps:
       - name: Checkout
         run: |
           git clone --branch=${{ github.ref_name }} \
             https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
 
-      - name: Install and run gitleaks
-        run: |
-          GITLEAKS_VERSION="8.18.4"
-          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
-            -o /tmp/gitleaks.tar.gz
-          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
-          /tmp/gitleaks detect --source . --verbose --redact
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose --redact
 
   shellcheck:
     name: Shell Script Analysis
     runs-on: anvil
+    container:
+      image: docker.io/koalaman/shellcheck-alpine:stable
     steps:
+      - name: Install git
+        run: apk add --no-cache git
+
       - name: Checkout
         run: |
           git clone --depth=1 --branch=${{ github.ref_name }} \