diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
index 5535706ead..50aee43494 100644
--- a/.github/workflows/semgrep.yaml
+++ b/.github/workflows/semgrep.yaml
@@ -6,6 +6,10 @@ on:
   pull_request: 
     branches: [ "master", "main" ]
 
+# Explicitly scope GITHUB_TOKEN permissions (principle of least privilege).
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: Scan