diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index cfa05e0c..10144f1b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,7 +10,9 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions: read-all
+permissions:
+  contents: read
+  pull-requests: write
 
 jobs:
   check-run: