diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7766539b2..5911e9f93 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -87,6 +87,7 @@ jobs:
     name: Vulnerability Scan
     uses: ./.github/workflows/vulncheck.yml
     permissions:
+      contents: read
       security-events: write
     with:
       target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}