diff --git a/.github/workflows/secrets-scan.yaml b/.github/workflows/secrets-scan.yaml
index 424a8d8..ed9e76f 100644
--- a/.github/workflows/secrets-scan.yaml
+++ b/.github/workflows/secrets-scan.yaml
@@ -3,6 +3,10 @@ name: Secrets Scan with Trivy
 on:
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   scan:
     runs-on: ubuntu-latest