diff --git a/.github/workflows/gitleak-scan.yml b/.github/workflows/gitleak-scan.yml
index c7f5e3dc..35d3084a 100644
--- a/.github/workflows/gitleak-scan.yml
+++ b/.github/workflows/gitleak-scan.yml
@@ -4,6 +4,8 @@ on: [pull_request, push, workflow_dispatch]
 permissions:
   contents: read
   pull-requests: read
+  security-events: write
+  actions: read
 
 jobs:
   gitleaks:
@@ -17,6 +19,6 @@ jobs:
         with:
           scan-scope: "all"
           source: "./"
-          config_path: "./ci/gitleaks_baselines/os-image-composer-gitleaks.csv"
-          report_format: "csv"
+          config_path: "./ci/gitleaks_baselines/os-image-composer-gitleaks.sarif"
+          report_format: "sarif"
           redact: "true"
\ No newline at end of file