diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
index 7468a35e..9cf07e9b 100644
--- a/.github/workflows/analyze.yml
+++ b/.github/workflows/analyze.yml
@@ -11,6 +11,11 @@ jobs:
     name: CodeQL
     runs-on: ubuntu-latest
 
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2