diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index bd11e66c82..dfd1c244fe 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,10 +1,14 @@
-name: build
+name: Trivy
 on:
   push:
     branches: [ develop ]
   pull_request:
 jobs:
   build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Build
     runs-on: ubuntu-22.04
     steps: