diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml
index 85065c828cc..f945d13220d 100644
--- a/.github/workflows/container-security-scan.yml
+++ b/.github/workflows/container-security-scan.yml
@@ -14,6 +14,9 @@ on:
 jobs:
   scan-sarif:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
       - name: Checkout