diff --git a/.github/workflows/semgrep_diff.yml b/.github/workflows/semgrep_diff.yml
index 4b03d1ccb..4e7d6c067 100644
--- a/.github/workflows/semgrep_diff.yml
+++ b/.github/workflows/semgrep_diff.yml
@@ -15,6 +15,10 @@ name: Semgrep Differential Scan
 on:
   pull_request:
 
+permissions:
+  contents: read
+  statuses: write
+
 jobs:
   semgrep-diff:
     uses: adoptium/.github/.github/workflows/semgrep_diff.yml@main