diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
index 72835e0b..f13bc860 100644
--- a/.github/workflows/osv-scanner.yml
+++ b/.github/workflows/osv-scanner.yml
@@ -21,6 +21,8 @@ jobs:
   scan-scheduled:
     permissions:
       contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
     with:
@@ -41,6 +43,8 @@ jobs:
   scan-pr:
     permissions:
       contents: read
+      actions: read
+      security-events: write
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
     with: