diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener
index a3b68d2..412f3f2 100755
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@@ -80,7 +80,7 @@ output_stat(){
   declare -a arr
   local file_name_from_stat stat_output stat_output_newlined
 
-  if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then
+  if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then
     log error "Failed to run 'stat' on file: '${file_name}'!" >&2
     return 1
   fi
@@ -217,7 +217,7 @@ add_nosuid_statoverride_entry() {
         log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'"
         continue
       fi
-      if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then
+      if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then
         is_match_whitelisted="true"
         log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'"
         ## Stop looping through the match_white_list.
@@ -232,7 +232,7 @@ add_nosuid_statoverride_entry() {
         log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'"
         continue
       fi
-      if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then
+      if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then
         is_disable_whitelisted="true"
         log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'"
         ## Stop looping through the disablewhitelist.
@@ -392,12 +392,12 @@ set_file_perms() {
         continue
       fi
 
-      if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then
+      if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then
         log error "Owner from config does not exist: '${owner_from_config}'" >&2
         continue
       fi
 
-      if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then
+      if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then
         log error "Group from config does not exist: '${group_from_config}'" >&2
         continue
       fi
@@ -435,7 +435,7 @@ set_file_perms() {
       if test "${dpkg_statoverride_list_exit_code}" = "0"; then
         local grep_line
         grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}"
-        if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then
+        if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then
           log info "The owner/group/mode matches fso entry. No further action required."
         else
           log info "The owner/group/mode does not match fso entry, updating entry."
@@ -498,22 +498,22 @@ set_file_perms() {
       ## The value of the capability argument is not permitted for a file. Or
       ## the file is not a regular (non-symlink) file
       ## Therefore use echo_wrapper_ignore.
-      echo_wrapper_ignore verbose setcap -r "${fso}"
-      getcap_output="$(getcap "${fso}")"
+      echo_wrapper_ignore verbose setcap -r -- "${fso}"
+      getcap_output="$(getcap -- "${fso}")"
       if test -n "${getcap_output}"; then
         exit_code=205
         log error "Removing capabilities failed. File: '${fso}'" >&2
         continue
       fi
     else
-      if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then
+      if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then
         log error "Capability from config does not exist: '${capability_from_config}'" >&2
         continue
       fi
 
       ## feature request: dpkg-statoverride: support for capabilities
       ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
-      echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}"
+      echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}"
     fi
 
   done <"${config_file}"
@@ -530,7 +530,7 @@ parse_config_folder() {
   ## Query contents of password and group databases only once and buffer them
   ##
   ## If we don't buffer we sometimes get incorrect results when checking for
-  ## entries using 'if getent passwd | grep --quiet '^root:'; ...' since
+  ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since
   ## 'grep' exits after the first match in this case causing 'getent' to
   ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is
   ## set for this script.