diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 42507c9d..3eef4d8c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ jobs:
       packages: write
       pull-requests: none
       repository-projects: none
-      security-events: none
+      security-events: write # needed to write sarif to security tab
       statuses: none
       id-token: write # needed for signing the images with GitHub OIDC using cosign
     steps:
diff --git a/.github/workflows/schedule.yaml b/.github/workflows/schedule.yaml
index 7ad76054..44a15fb7 100644
--- a/.github/workflows/schedule.yaml
+++ b/.github/workflows/schedule.yaml
@@ -10,6 +10,19 @@ jobs:
   scan-backend:
     name: Scan backend image
     runs-on: ubuntu-latest
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      # needed for `cosign attest`
+      id-token: write
     steps:
       - uses: adfinis/container-scanning-action@v0.2.2
         with: