From 4aa7bd57673175e3f35ee3ec46f6c0c091a8c0b0 Mon Sep 17 00:00:00 2001
From: Adil Hafeez <adil.hafeez@gmail.com>
Date: Fri, 13 Feb 2026 15:46:05 -0800
Subject: [PATCH] Add explicit permissions to Docker security scan workflow

Set minimal permissions: contents read for checkout, security-events
write for SARIF upload to the GitHub Security tab.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/docker-security-scan.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml
index 62b0cbdb..b335cb8a 100644
--- a/.github/workflows/docker-security-scan.yml
+++ b/.github/workflows/docker-security-scan.yml
@@ -9,6 +9,10 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   scan:
     runs-on: ubuntu-latest