diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index a90074843b..f72bc72c7f 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -11,11 +11,14 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check-run:
     name: Check PR run
     uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-    permissions: read-all
+    permissions:
+      contents: read
 
   sast:
     name: SAST scan