diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 8242a02c..a423c3ff 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -6,6 +6,11 @@ on:
 
 jobs:
   docker:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout