From 14e8e34b2dc496c9617df6ec5de36d990e9e34a2 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Wed, 27 Mar 2024 12:35:13 -0400
Subject: [PATCH] Adjust scan permissions (#8513)

---
 .github/workflows/scan.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index ea9e69226a..878171cd17 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -10,8 +10,6 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions: read-all
-
 jobs:
   check-run:
     name: Check PR run
@@ -22,6 +20,8 @@ jobs:
     runs-on: ubuntu-22.04
     needs: check-run
     permissions:
+      contents: read
+      pull-requests: write
       security-events: write
 
     steps:
@@ -43,7 +43,7 @@ jobs:
           additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
-        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: cx_result.sarif
 
@@ -51,6 +51,9 @@ jobs:
     name: Quality scan
     runs-on: ubuntu-22.04
     needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Check out repo