diff --git a/.github/workflows/on-push-verification.yml b/.github/workflows/on-push-verification.yml
index 26957cd..112f402 100644
--- a/.github/workflows/on-push-verification.yml
+++ b/.github/workflows/on-push-verification.yml
@@ -1,6 +1,8 @@
 # pull request action verification
 
 name: OSSAR on-push-verification windows-latest
+permissions:
+  contents: read
 on: push
 
 jobs:
diff --git a/.github/workflows/sample-workflow-ubuntu-latest.yml b/.github/workflows/sample-workflow-ubuntu-latest.yml
index ded2258..c9aa799 100644
--- a/.github/workflows/sample-workflow-ubuntu-latest.yml
+++ b/.github/workflows/sample-workflow-ubuntu-latest.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   sample:
     name: Open Source Static Analysis Runner
+    permissions:
+      contents: read
+      security-events: write
 
     # OSSAR runs on windows-latest.
     # ubuntu-latest and macos-latest supporting coming soon
diff --git a/.github/workflows/sample-workflow-windows-latest.yml b/.github/workflows/sample-workflow-windows-latest.yml
index 2533dc7..899459f 100644
--- a/.github/workflows/sample-workflow-windows-latest.yml
+++ b/.github/workflows/sample-workflow-windows-latest.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   sample:
     name: Open Source Static Analysis Runner
+    permissions:
+      contents: read
+      security-events: write
 
     # OSSAR runs on windows-latest.
     # ubuntu-latest and macos-latest supporting coming soon