diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml
index 874f43b3ca..0fbbf87958 100644
--- a/code-scanning/snyk-container.yml
+++ b/code-scanning/snyk-container.yml
@@ -22,8 +22,14 @@ on:
   schedule:
     - cron: $cron-weekly
 
+permissions:
+  contents: read
+
 jobs:
   snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3