diff --git a/code-scanning/trivy.yml b/code-scanning/trivy.yml
index f778492b98..3d5373f22c 100644
--- a/code-scanning/trivy.yml
+++ b/code-scanning/trivy.yml
@@ -14,8 +14,14 @@ on:
   schedule:
     - cron: $cron-weekly
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     name: Build
     runs-on: "ubuntu-18.04"
     steps: