diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml
index 6be2314d7e..c6cb1500c5 100644
--- a/.github/workflows/scan_coverage.yml
+++ b/.github/workflows/scan_coverage.yml
@@ -7,6 +7,11 @@ on:
       CODECOV_TOKEN:
         required: true
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 env:
   # Note: All coverage scans, e.g. on pull requests, should be run in the same
   # environment.
@@ -24,8 +29,6 @@ env:
   TEST_BUILD:   debug
   FAULT_INJECTION: 1
 
-permissions: {}
-
 jobs:
   linux:
     name: Linux