diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 8c5cbeb..02ceb18 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -1,5 +1,7 @@
 name: Build/Publish Docker Image
 
+permissions: read-all
+
 on:
   release:
     types:
diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml
index 12f7b77..34d76cb 100644
--- a/.github/workflows/helm-publish.yaml
+++ b/.github/workflows/helm-publish.yaml
@@ -1,5 +1,7 @@
 name: Publish Helm Chart
 
+permissions: read-all
+
 on:
   release:
     types:
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 081ee5d..4f48580 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -11,12 +11,14 @@ on:
     branches: ["main"]
 
 permissions:
-  actions: read
-  security-events: write
   contents: read
 
 jobs:
   scan-scheduled:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
     with:
@@ -26,6 +28,10 @@ jobs:
         -r
         ./
   scan-pr:
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
     with: