diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 05d2b53..0bbd333 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '27 9 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   bandit:
     permissions: