diff --git a/docs/github-action.md b/docs/github-action.md
index ef3d757d771..62bc7f05bcf 100644
--- a/docs/github-action.md
+++ b/docs/github-action.md
@@ -42,8 +42,11 @@ on:
   merge_group:
     branches: [ main ]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
 
 jobs:
   scan-pr: