diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 8429189..3159748 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index aa6728a..866c0a3 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,6 +1,9 @@
 name: Generate terraform docs
 
 on: [pull_request]
+
+permissions: read-all
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index ea79893..0891011 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 3c1dbb0..0797eff 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,8 @@ name: Lint
 
 on: [push]
 
+permissions: read-all
+
 jobs:
   tflint:
     name: Lint
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000..30bbcb2
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,18 @@
+name: Scan
+
+on: [push]
+
+permissions: read-all
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          framework: terraform
\ No newline at end of file