diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index d64327a2..f305074d 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -15,7 +15,15 @@ on:
     branches: ["main"]
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  # Needs to be read-all for general access
+  contents: read
+  security-events: write  # For uploading security results
+  id-token: write        # For publishing results
+  actions: read
+  issues: read
+  pull-requests: read
+  checks: read
 
 jobs:
   analysis: