diff --git a/.github/workflows/clone-staging.yaml b/.github/workflows/clone-staging.yaml
index 790246328..ef259c3b6 100644
--- a/.github/workflows/clone-staging.yaml
+++ b/.github/workflows/clone-staging.yaml
@@ -19,6 +19,7 @@ jobs:
       CF_USERNAME: ${{ secrets.CF_MS_USERNAME }}
       CF_PASSWORD: ${{ secrets.CF_MS_PASSWORD }}
     steps:
+        - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         - name: Clone Database
           run: |
             # install cf cli and other tools
diff --git a/.github/workflows/createcachetable.yaml b/.github/workflows/createcachetable.yaml
index 207ecf70e..768bf050d 100644
--- a/.github/workflows/createcachetable.yaml
+++ b/.github/workflows/createcachetable.yaml
@@ -37,6 +37,7 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Create cache table for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:
diff --git a/.github/workflows/daily-csv-upload.yaml b/.github/workflows/daily-csv-upload.yaml
index 9cacfc3bf..41fb00971 100644
--- a/.github/workflows/daily-csv-upload.yaml
+++ b/.github/workflows/daily-csv-upload.yaml
@@ -13,6 +13,7 @@ jobs:
       CF_USERNAME: CF_${{ secrets.CF_REPORT_ENV }}_USERNAME
       CF_PASSWORD: CF_${{ secrets.CF_REPORT_ENV }}_PASSWORD
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Generate current-federal.csv
         uses: cloud-gov/cg-cli-tools@main
         with:
diff --git a/.github/workflows/deploy-development.yaml b/.github/workflows/deploy-development.yaml
index fa447ed76..9b4ce00e1 100644
--- a/.github/workflows/deploy-development.yaml
+++ b/.github/workflows/deploy-development.yaml
@@ -17,6 +17,8 @@ jobs:
   deploy-development:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      
       - uses: actions/checkout@v3
 
       - name: Compile USWDS assets
diff --git a/.github/workflows/deploy-manual.yaml b/.github/workflows/deploy-manual.yaml
index a85cc7565..7033bc129 100644
--- a/.github/workflows/deploy-manual.yaml
+++ b/.github/workflows/deploy-manual.yaml
@@ -44,6 +44,7 @@ jobs:
   variables:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Setting global variables
         uses: actions/github-script@v6
         id: var
@@ -53,6 +54,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
       - name: Compile USWDS assets
         working-directory: ./src
diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml
index e9eb06627..52d0d1830 100644
--- a/.github/workflows/deploy-sandbox.yaml
+++ b/.github/workflows/deploy-sandbox.yaml
@@ -35,6 +35,7 @@ jobs:
       environment: ${{ steps.var.outputs.environment}}
     runs-on: "ubuntu-latest"
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Setting global variables
         uses: actions/github-script@v6
         id: var
@@ -45,6 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [variables]
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
       - name: Compile USWDS assets
         working-directory: ./src
diff --git a/.github/workflows/deploy-stable.yaml b/.github/workflows/deploy-stable.yaml
index a1b947ca5..7a2e4a940 100644
--- a/.github/workflows/deploy-stable.yaml
+++ b/.github/workflows/deploy-stable.yaml
@@ -18,6 +18,7 @@ jobs:
     if: ${{ github.ref_type == 'tag' }}
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Compile USWDS assets
diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml
index 3cf5ad5a1..81e87b2df 100644
--- a/.github/workflows/deploy-staging.yaml
+++ b/.github/workflows/deploy-staging.yaml
@@ -18,6 +18,7 @@ jobs:
     if: ${{ github.ref_type == 'tag' }}
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Compile USWDS assets
diff --git a/.github/workflows/issue-label-notifier.yaml b/.github/workflows/issue-label-notifier.yaml
index c4f10d48f..ee6aaa844 100644
--- a/.github/workflows/issue-label-notifier.yaml
+++ b/.github/workflows/issue-label-notifier.yaml
@@ -10,6 +10,7 @@ jobs:
   notify:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: jenschelkopf/issue-label-notification-action@1.3
         with:
           recipients: |
diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml
index 1853b3c4f..e18791cad 100644
--- a/.github/workflows/migrate.yaml
+++ b/.github/workflows/migrate.yaml
@@ -45,6 +45,7 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Run Django migrations for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:
diff --git a/.github/workflows/reset-db.yaml b/.github/workflows/reset-db.yaml
index 111555b3c..8e060beaa 100644
--- a/.github/workflows/reset-db.yaml
+++ b/.github/workflows/reset-db.yaml
@@ -45,6 +45,7 @@ jobs:
       CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME
       CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Delete existing data for ${{ github.event.inputs.environment }}
         uses: cloud-gov/cg-cli-tools@main
         with:
diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml
index aea700613..ae58b37c6 100644
--- a/.github/workflows/security-check.yaml
+++ b/.github/workflows/security-check.yaml
@@ -54,6 +54,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - name: Check out
         uses: actions/checkout@v3
       - name: MockUserLogin should not be in settings.MIDDLEWARE
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 642e9dc30..7c7576cae 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -21,6 +21,7 @@ jobs:
   python-linting:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Linting
@@ -32,6 +33,7 @@ jobs:
   python-test:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Unit tests
@@ -41,6 +43,7 @@ jobs:
   django-migrations-complete:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v3
 
       - name: Check for complete migrations