diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml
index 302c4a23..5f9d2776 100644
--- a/.github/workflows/rl-scanner.yml
+++ b/.github/workflows/rl-scanner.yml
@@ -14,6 +14,7 @@ on:
 # Enable JWT read
 permissions:
   id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
 
 jobs:
   checkout-build-scan-only: