diff --git a/.github/workflows/scan_codeql.yml b/.github/workflows/scan_codeql.yml
index 2c1274f0de7..aeedfc9eac9 100644
--- a/.github/workflows/scan_codeql.yml
+++ b/.github/workflows/scan_codeql.yml
@@ -4,15 +4,16 @@ name: CodeQL
 on:
   workflow_call:
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: read-all
 
 jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
     steps:
     - name: Clone the git repo