diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index f4ee5c6d88c2..d274b8d9595b 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -1,5 +1,9 @@
 name: OSV-Scanner
 
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -11,10 +15,7 @@ on:
     branches:
     - "main"
   schedule:
-  - cron: '44 15 * * 5'
-
-permissions:
-  contents: read
+    - cron: '44 15 * * 5'
 
 jobs:
   scan-scheduled: