diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
index f48d47d2e0..97882628ea 100644
--- a/.github/workflows/brakeman-analysis.yml
+++ b/.github/workflows/brakeman-analysis.yml
@@ -10,8 +10,14 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   brakeman-scan:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     name: Brakeman Scan
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index be8b721644..41c3047f50 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ env:
   RSPEC_RETRY_RETRY_COUNT: 3
   RAILS_ENV: test
 
+permissions:
+  contents: read
+
 jobs:
   rspec:
     runs-on: ubuntu-18.04