diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 6e358c1..82c328c 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -5,6 +5,11 @@ on:
     - cron: '0 2 * * *'  # 每天 UTC 02:00（北京时间 10:00）
   workflow_dispatch:     # 支持手动触发
 
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
 jobs:
   security-scan:
     name: Security Scan (${{ matrix.branch }})