diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index a97fafd..1e99f15 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -4,6 +4,9 @@ name: "Security Scan: Snyk IaC"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   snyk:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
index e424d63..285cab9 100644
--- a/.github/workflows/superlinter.yml
+++ b/.github/workflows/superlinter.yml
@@ -4,6 +4,9 @@ name: "Code Quality: Super-Linter"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   superlinter:
     name: Super-Linter
diff --git a/.github/workflows/terraform-docs.yml b/.github/workflows/terraform-docs.yml
index 82049db..5b8254c 100644
--- a/.github/workflows/terraform-docs.yml
+++ b/.github/workflows/terraform-docs.yml
@@ -4,6 +4,9 @@ name: "Documentation: terraform-docs"
 on:
   pull_request:
 
+permissions:
+  contents: write
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
index d587baa..4618b40 100644
--- a/.github/workflows/tfsec.yml
+++ b/.github/workflows/tfsec.yml
@@ -4,6 +4,9 @@ name: "Security Scan: tfsec"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   tfsec:
     runs-on: ubuntu-latest