Secure anchore analysis workflow

Signed-off-by: freddidierRTE <[email protected]>

Author: freddidierRTE

.github/workflows/anchore-analysis.yml

@@ -7,8 +7,14 @@ on:
     - cron:  '0 1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   Anchore-Build-Scan:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the code